When a user changes his account password for whatever reason (read: expired), and the old password is stored in his mobile device connected through EAS. This will cause his account to lockout almost immediately - as it should according to the lockout policy defined in the AD. It was easy to figure out that part. The hard part is keeping it from happening. I looked everywhere. Nothing. Basically there are four parts to the puzzle: the EAS device, the TMG (ISA) server, the EAS protocol and finally the AD. None of them have a way to stop the EAS device from failing to authenticate. So I figured I'll have to come up with a clever workaround. And the only thing I could come up with is to create a group for all EAS users and exclude them from the lockout policy, which obviously defeats the whole purpose of the policy, or to educate the users to update their devices with the new passwords, which is impossible.
The question: Can you think of any other way to prevent EAS from locking out the accounts?
Environment: Mostly iOS devices all through EAS. TMG 2010. Exchange 2007. AD 2008 R2.
Normally what we tell users is to put the device in "flight" or "airplane" mode, cutting off network access when they are ready to change password, once they change the password on Desktop/Laptop, then they can enter the new password in device and connect back to network.
Of course we also send the expiry notification so that they are well prepared for the password expiry.
TMG SP2 has now the Account Lockout Feature to prevent this issue. See: Here, here and here.
I've been challenged by this question as well. As a serious option I'm considering certificate based ActiveSync authentication. Together with the EAS policy to demand a password code for unlocking the mobile device this should count as two-factor authentication (something you have: certificate on your mobile device, something you know: password code for your mobile device). This way there is no issue when the password expires. Hope this helps. http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx
Its up to the device to tell the user that authentication failed. I think a better answer is to use something like Good messaging for enterprise on the ios devices which I believe provides enterprise EAS support.
This is a good question. Unfortunately, I haven't come across a way for preventing the device from trying to authenticate until the password has been updated. The only thing you can do is exclude the user from the password policy or document how to change the password on their device and remind them every time their password expires and they need their account unlocked.
You could also use a script or a program to email people that their passwords are going to expire in x number of days and include a reminder that they need to change the password on their phone.
I was expecting to have this issue at my current employer since I implemented a password policy in November, but so far, my mobile users seem savvy enough to change their passwords without being reminded.
You may want to test how the device(s) authentication attempts behave when not using the "Always Up To Date" functionality. If a device is configured to poll every five minutes instead of using Always Up To Date, and that does not incur the rate of authentication failures that triggers account lockout, this may be a viable workaround.
This seems to be a device problem with the iPhone trying too often using the old, meanwhile incorrect, password. Apple posted a technote on this problem promising better experience with devices on iOS7: http://support.apple.com/kb/TS4583
Block out the originating IP address on the firewall in front of the Exchange server