We had an issue the today, and has been ongoing
over the past few weeks. When a user attaches to
the WI and authenticates with their domain
credentials, they immediately receive a message
indicating their account has been
"temporarily locked out". What's
interesting is when you look at the domain
account via dsa.msc, the users account is not
locked out. Here is what the event logs are
saying:
Web interface: 5.1.1
1.) open the iis logs on your web interface -
C:\WINDOWS\system32\LogFiles\W3SVC1
look for ex*** and the date which relates to
your issue (iis logs depending on the activity
will rotate once or twice a day).
2.) do a search for the clients ip address
3.) look for --> /Citrix/Metaframe/media/Error24.gif
4.) look for --> 2009-11-17 12:42:44 W3SVC1
clienIPAddress GET /Citrix/Metaframe/auth/login.aspx
CTX_MessageType=ERROR&CTX_MessageKey=InvalidCredentials
80 - clientIPAddress
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.1;+MS-RTC+LM+8;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022)
200 0 0
It turns out (in
our analysis) this specific issue had not been
going on for a long time. The user in this case
was having difficulty keying in their password
several times. I Definitely understand the
frustration one would experience, especially in
a multi domain scenario where its difficult to
sync up passwords on each domain due to password
complexity requirements.
1.) CTX_MessageType=ERROR&CTX_MessageKey=BlankUsername&InvalidUsername=True
2.)
CTX_MessageType=ERROR&CTX_MessageKey=AccountLockedOut
3.)
CTX_MessageType=ERROR&CTX_MessageKey=InvalidCredentials
Right now, lets call this little
case closed. If we get any more details or can
replicate, we can definitely investigate more.
From System Log (1):The
description for Event ID ( 2 ) in Source ( HECI
) cannot be found. Either the component that
raises this event is not installed on your local
computer, or the installation is corrupted. You
can install or repair the component on the local
computer, or contact the component manufacturer
for a newer version.
If the event was saved from another computer or
forwarded from a remote computer, you might have
to include display information with the events
when saving them or when setting up the
forwardings .
From System Log
(2):The description for Event ID ( 31 )
in Source ( e1express ) cannot be found. Either
the component that raises this event is not
installed on your local computer, or the
installation is corrupted. You can install or
repair the component on the local computer, or
contact the component manufacturer for a newer
version.
If the event was saved from another computer or
forwarded from a remote computer, you might have
to include display information with the events
when saving them or when setting up the
forwarding s , Intel(R) 82566DM-2 Gigabit
Network Connection.
From System Log(3):The
description for Event ID ( 10016 ) in Source (
DCOM ) cannot be found. Either the component
that raises this event is not installed on your
local computer, or the installation is
corrupted. You can install or repair the
component on the local computer, or contact the
component manufacturer for a newer version.
If the event was saved from another computer or
forwarded from a remote computer, you might have
to include display information with the events
when saving them or when setting up the
forwarding s application-specific, Local,
Launch, {135D7881-D666-4046-A1DF-7EC7B5785A67},
NT AUTHORITY, SYSTEM,
From Application
Log (1):Security policies were propagated
with warning. 0x4b8 : An extended error has
occurred.
For best results in resolving this event, log on
with a non-administrative account and search
http://support.microsoft.com for
"Troubleshooting Event 1202's".
