VMware Horizon Community
Mach1_70
Contributor
Contributor
‎05-27-2020 11:16 AM

User getting 'Account locked out' message

I have a user that is receiving an 'Account locked out' message when connecting to her Horizon desktop. Her account is AD is not locked and she is able to login to other services (VPN, Portal, etc) using her AD account without issue.

She is only gets this error in the Horizon client (see attached pic).

I've looked through the documentation and knowledge base and only found one page that references adjusting the Kerberous settings on the Connection Server using ADSI Edit. However those steps are listed for VMware View Manager 4.0.x, so I'm not sure it applies here.

Has any one else seen this 'Account locked out' error?

Preview file
68 KB
0 Kudos
4 Replies
Shreyskar
VMware Employee
VMware Employee
‎05-27-2020 08:22 PM

Hi Mach1_70

> Take a snapshot of connection servers and take a backup of ADAM database:

C:\Program Files\VMware\VMware View\Server\tools\bin\vdmexport.exe > vdmbackup.ldf

> Connect to View ADAM database as per VMware Knowledge Base

> Expand the tree items in the left pane and locate the entry OU=Global,OU=Properties,DC=vdi,DC=vmware,DC=int.

  1. In the right pane, double-click the entry CN=Common.

  2. Double-click the attribute pae-AllowKerberosRealmAuth.

  3. In the attribute editor dialog box, set the pae-AllowKerberosRealmAuth attribute to 0 to disable Kerberos realm authentication

  4. Click OK to save changes to the attribute value.

  5. Click OK or Apply to save changes to the entry.

> Check now if issue is resolved.

adamabel
Enthusiast
Enthusiast
‎02-03-2023 01:27 PM

Time to resurrent this thread.  I know there is a 30 minute lockout period for 5? failed logins.  How do we configure this amount of failed logins, the lock out time, and how do we manually override it? I've found no documentation on this subject. 

sestey8732
VMware Employee
VMware Employee
‎07-30-2023 12:50 PM

Any update on this on how we can re-configure the lockout timeouts or is there a new resolution process?

 

 

0 Kudos
adamabel
Enthusiast
Enthusiast
‎08-15-2023 02:04 PM

So since Horizon uses an ADAM database which is tied to AD you just need to modify your AD rules it turns out.  This isn't really spelled out but we figured this out while reading some of the suggestions in the forums. 

There is no way to unlock a user from the horizon GUI despite the ability to add support users to basically just administrate user sessions issues.  If you could please raise that up the flag poll, the ability to manage user sessions is really lacking in the horizon UI. 

So what we did is built a webhook into teams to alert us when a user was locked out as reported by AD not horizon and we unlock the users AD account.  Ultimately we'll be building a tool to allow Jr admins to unlock accounts but again outside Horizon. 

0 Kudos