I’m guessing plenty of people out in the world of the internet use Microsoft Forefront Threat Management Gateway (TMG) 2010 with Service Pack 2 to do clever things like proxy traffic to their Exchange servers or/and their Lync servers!
Well just like them I do the same wizardry including proxying Active Sync traffic from mobile phones & ipads to our Exchange server. Happy days, well not really.. we kept getting users (normally directors or shouty people) changing their AD passwords but forgetting to change their passwords on their mobile phones or ipads leading to the inevitable account lockout…leading to me say to the user
“Have you changed your password recently? Yes, did you say…have you also changed it on all your mobile products, I bet you havnt!?”
So after the 500th time of this happening I decided there must be a way for TMG to block the connection if the user doesnt change his/her password….so I turned to google and found this excellent solution on configuring account lockouts on the TMG itself! Thanks Jan Egil Ring
If you don’t want to read the excellent blog link I posted above then here’s the powershell commands to implement on your TMG server for youself:
First RDP to your TMG Server,
Open PowerShell command prompt,
Type:
$FPC = New-Object -ComObject FPC.root
Enter
$array = $FPC.GetContainingArray()
Enter
Now you need to edit YOUR TMG listener
$listener = $array.RuleElements.WebListeners | Where-Object {$_.Name -eq "WHAT EVER YOUR LISTENER IS CALLED"}
Enter
Now lets see what you have configured
$listener.properties
Enter
You should see something like the below, notice the bottom three lines:
Now lets change those bottom three lines to something more useable like 600 seconds lockout time, 3 wrong password attempts (best to be less than your normal AD lockout attempts) and enable the bugger:
$listener.Properties.AccountLockoutResetTime = 600 $listener.Properties.AccountLockoutThreshold = 3 $listener.Properties.EnableAccountLockout = $true
Enter
Finally lets save it
$listener.Save()
Enter
Now last of all lets check if the settings have saved with the line we used earlier:
$listener.properties
Enter and should look like this:
Lovely!!! Now test it by jamming your password into your phone incorrectly 3 times and check if your account is locked out in AD or just on the TMG!!
Done
After deleting the petsnarrhip relationship with your ActiveSync device, you can try 2 things. Go to the settings of your account on your device and retype your password, save it, start the sync process. If this still doesn’t solve the issue, try to remove the account from your device and re-add it.