Issue with ActiveDirectoryMembershipProvider and account lock policy

Recently I was working on issue with ActiveDirectoryMembershipProvider of ASP.NET 2.0 and I came across interesting finding which I thought of sharing.

The scenario which I had was a little tricky. One of my customers was using ActiveDirectoryMembershipProvider along with the maxInvalidPasswordAttempts for locking the Active Directory User after 4 invalid attempts.

(Note - As per the information documentation around maxInvalidPasswordAttempts, this property does not control the number of failed logon attempts a user can make before being locked out. The Active Directory server handles failed logon attempts and is not affected by the value of this property.)

In the Active Directory configuration for account lock policy we had “Account lockout threshold” set to 4. So we set the value of maxInvalidPasswordAttempts to 4 to be in sync with the Active Directory configuration. But interestingly, when we try doing it… just after 2 invalid attempts the user’s account gets locked. That means if we set the “Account lockout threshold” to X then while using ActiveDirectoryMembershipProvider in ASP.NET 2.0 application, the account will get locked after just X/2 attempts.

I have confirmed that this behavior is by design. The reason behind that is internally ActiveDirectoryMembershipProvider uses IADsOpenDsObject::OpenDsObject method or the ADsOpenObject function. This function is supposed to validate the user via Kerberos first and if it fails then it tries with NTLM and in turn increments the BadPwdCount count by 2.

So in case if one is willing to use ActiveDirectoryMembershipProvider with account lock policy in place, then we have to make sure that we double the value for “Account lockout threshold” than required.

I hope this helps!