Body
Overview
Account lockouts are used to limit the potential for brute-force password cracking against our directory services. After a specific number of bad password attempts an account will be temporarily blocked from authentication.
The University of Idaho Single Sign-On (SSO) cloud authentication uses Microsoft's Entra ID "smart lockout" feature. After 10 failed sign-in attempts the account will be locked out for one minute. Each subsequent failed attempt will result in longer lockout periods. The exact rate at which the lockout period increases is not diclosed by Microsoft.
- 10 bad password attempts will lockout an account for 1 minute.
- Each subsequent bad password attempt results in an increasing lockout time period.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout
The on-premises Microsoft Active Directory Domain Services (AD DS) bad password lockout settings are:
- 20 bad password attempts in 10 minutes will lockout an account for 10 minutes.
We typically recommend forgetting the wireless profile on all devices and then waiting 10 minutes for the account to automatically unlock. Our support teams can verify your account is in a lockout state and remove the lock earlier if necessary.
Support Teams
Note: Support teams can search for log entries with the Event Code "0xC0000234" to see if an account is locked out. It is also possible to search for "0xC000006A" and "0x18" for bad password attempts to find why the account may have been locked. If an account is locked, the lock can be removed by editing the account in Toolbox and selecting the "unlock" option.
The on-premises Microsoft Active Directory Federation Service (AD FS) "soft lockout" is slightly more restrictive to avoid denial of service from brute force password checking against the SSO service. The AD FS soft lockout settings are:
- 15 bad password attempts in 10 minutes will lockout an account for 10 minutes.