Lightweight Directory Access Protocol Does Not Log Invalid P&M Password Attempts (195210)

SYMPTOMS

When a user connects to a Web site that is configured to use Microsoft Personalization and Membership Server, he or she is prompted for a user name and password. If the specified user name is not found in the Lightweight Directory Access Protocol (LDAP) database, the LDAP log reports an error code of 32. LDAP RFC 1777 defines this result code as "no such object." The following is an example of such an LDAP log entry:

   xxx.xx.xxx.xxx , cn=MBSBRKR2_SERVER1,ou=members,o=test, 9/28/98,
   11:21:05, LDAPSVC2, SERVER1, -, 6713133, 1471, 24886, 32, 0, SEARCH,
   CN=kjhbe,ou=members,o=test, NULL,

However, if a valid user name is specified with an invalid password, the LDAP log shows a 0 result code, which means a success. Below is an example of such an LDAP log entry:

   xxx.xx.xxx.xxx , cn=MBSBRKR2_SERVER1,ou=members,o=test, 9/28/98,
   11:26:46, LDAPSVC2, SERVER1, -, 7054063, 1557, 24901, 0, 0, SEARCH,
   CN=administrator,ou=members,o=test, NULL,

CAUSE

The LDAP cannot be used to monitor password validation in Microsoft Personalization and Membership Server (P&M). P&M uses LDAP to find a user. That is why the first log entry in the "Symptoms" section shows an error. Once the user is found in the directory, P&M validates the password.

WORKAROUND

If the password is invalid, a counter is incremented that causes the account to be blacked out after 25 incorrect password attempts within three minutes. To change AuthAccountDenyTimeout and AuthAccountDenyThreshold settings, see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: 194783
TITLE : PMAdmin Fails to Set AuthAccountDenyThreshold or Timeout

All accounts that are blacked out are logged in the Windows NT Event log.