Occasionally, users may find they're seeing their Active Directory (AD) accounts locked, even if they're using a standard username/password authentication in SmarterMail. We've isolated a few instances where these AD locks can occur.
- The user has an active MAPI profile open.
- The user has an Active Directory username and password that locks up after X number of failed logins. (This is rectified by waiting 5 minutes, then logging in with the correct username/password combination or resetting your login via Active Directory.)
- The user has a SmarterMail login (using SmarterMail Authentication) that matches an Active Directory username, but uses a separate password.
- The user is connecting to SmarterMail via Microsoft Outlook for Windows, but their computer is attached to a domain.
The simplest, and most effective, solution for each of these issues is to switch the mailbox authentication method to Active Directory. That way, the user logs in using their existing AD credentials, ensuring there's not issues with conflicting users or passwords. In addition, resolving lockouts is a simple matter of removing the lock in AD or changing the user's credentials in AD.
The hypothesis for why these issues happen is as follows: There's an issue in Microsoft Outlook, or Windows in general, that sees the user is connected to a domain on their computer, so NTLM is used to authenticate that user. It then assumes that kerberos authentication can be used with the SmarterMail username and password. This is problematic because the username may match their AD username, but the passwords don't match. This causes an authentication failure, and leads to the user being locked out of AD.
So, simply changing users over to AD authentication, this ensures the username and password used to login to SmarterMail will match what the client/computer sees in Active Directory. This eliminates mismatches and will alleviate AD locks.