User’s Domain accounts locked due to failed login attempts
User logins to MyWorkDrive, when your MyWorkDrive server permits login via traditional Username and Password login (not SSO), are login events on Active Directory.
Failed login attempts to MyWorkDrive will count as “attempts” in Active Directory towards an Account Lockout Policy, and may, in some scenarios, cause an account lockout with a low number of login attempts.
MyWorkDrive’s simplified user login will make multiple attempts by assembling usernames based on the domain and upn suffixes in the Active Directory and trying those until it achieves success, which may result in multiple attempts from a single login event (depending on what the user enters initially)
For example, if the user logs in with “Scott”, MyWorkDrive will try
Which is four failed attempts for one login attempt. If the Account Lockout Policy was set to 3, it would already have achieved a lockout for the user.
- There are several ways to improve the user experience and mitigate potential lockouts.
- Require Email username for login. In that case, there will only be two login attempts recorded (once to check the account status and once to attempt the login). This is a setting on the Settings page of MyWorkDrive administration.
- Train your users to login specifying a domain, such as domain\user, which will also result in only two login attempt per login.
- Deploy an SSO, where the attempts are moved to the SSO (and typically also require an email cutting out multiple attempts). We have simplified setup for ADFS, AzureAD, OneLogin and Okta and have configuration files which permit you to manually setup any SAML SSO.
Set an Account Lockout Policy which permits multiple login attempts without creating a lockout. 10 is a reasonable number for a domain without multiple UPNs where the user can make 2-3 attempts without locking themselves out.