Summary: User accounts are locked out in Active Directory (AD) after performing searches for secure content.
Cause: Generally this happens when searching over content indexed by the File Systems Connector. Account lockout can occur in situations where there are several intersecting requirements:
- The SMB/CIFS filesystem is a Windows fileserver, or otherwise tied to an Active Directory account authentication.
- The File System connector is not attaching ACLs to URLs it adds to the index.
- The authentication environment uses a silent authentication mechanism such as cookie-based auth or Kerberos.
By default, the File System connector sends ACLs along with the URL's content to the search appliance for indexing. When the search appliance does not get ACLs for URLs, either intentionally or due to misconfiguration on the File System connector, the search appliance will authorize URLs by impersonating the search user instead of by ACL. If the search appliance uses silent authentication, the search appliance cannot fully impersonate the user, since the appliance has a username but no password. These authorization attempts will fail Active Directory authentication, which can eventually cause the Active Directory environment to lockout the user depending on the Active Directory password policies.
Troubleshooting Steps: Review the security manager log Search > Secure Search > Universal Login > SecMgr Logs (7.2) to see if the connector is issuing DENY statuses for these URLs.
Fix: Add a policy ACL entry in the Admin Console page Serving > Secure Search > Policy ACLs to deny any URLs coming from the connector. This will prevent the search appliance from trying to use impersonation to authorize the user in the case where there are no ACLs sent. Note that this will only happen if ACLs are not present. If the ACLs are present, they will take precedence over the policy ACLs.