Windows NT account lockout with SQL Server CE Replication and invalid password (313153)

SYMPTOMS

If you use an application based on Microsoft SQL Server 2000 Windows CE Edition (SQL Server CE) Replication or Remote Data Access (RDA), you may receive an error message similar to the following when you use an invalid password for use with Microsoft Internet Information Server (IIS) servers that are set to use Basic or Integrated Windows authentication:

401.1 Unauthorized: Logon Failed after three logon attempts

CAUSE

If you use Basic or Integrated Windows authentication on IIS and the domain administrator sets a lockout on failed login attempts to be less than 30, you will encounter a lockout with a failed password or userid because the SQL Server CE or RDA object retries authentication at least 30 times. The account is locked out before the user is aware of the problem.

STATUS

A design change request has been filed for the next major version of SQL Server CE. Microsoft is researching this problem and will post more information in this article when the information becomes available.

MORE INFORMATION

Steps to Reproduce Behavior

Have the domain administrator create a policy that revokes account privileges after five (5) failed login attempts (actually, any number less than 30 behaves the same.)
For the virtual directory that was set up for use by your SQL Server CE replication or RDA application following the information in SLQ Server CE Books Online, set the authentication method for directory security to use Basic authentication.
Create a SQL Server CE application to use the InternetLogin and InternetPassword properties.
Fill in the InternetLogin with a valid userid and InternetPassword with an invalid password.
Attempt the initial synchronization. After 5 minutes the process fails. If you then try to login to the domain by using the proper userid and password combination, you will find that the account is locked out.