Identity Management, Lockouts

This article gives a brief overview of some of our authentication systems and how account lockouts can occur. Authorized individuals can view additional information such as lockout thresholds on the internal version of this page.

Our Authentication Systems

An article covering our Single Sign-On pages can be found here.

  • Entra ID - authentication system used for many applications, including Microsoft365 (Outlook, Teams, Word, etc.).
  • Shibboleth - federated authentication for many applications including Canvas, Zoom, and Box.  Shibboleth sends users to Entra ID for authentication.
  • UofI Active Directory - on premises authentication, used when signing into university computers, wireless, printers, or mapped network drives.
  • Duo - our multi-factor authentication (MFA) system, provides additional security when logging into certain applications.
    • An overview of Duo can be found here.
  • SiteMinder - authentication system primarily used by AITS applications such as the NetID Center, Banner, or My UI Info. SiteMinder uses UofI Active Directory for authentication.

Lockouts

Accounts typically get locked out if there are repeated unsuccessful authentication attempts within a certain period of time.

Note: There is no propagation of lockout status between the different systems, so it is possible to be locked out in one system but not the others.

Entra ID Lockouts

Entra ID (including Shibboleth) utilizes Smart lockouts. An article covering Smart Lockouts can be found here (login required). Smart lockouts occur less often because it takes more than bad password attempts for the lock to occur.

Tool for checking Entra ID Lockouts

(Help Desk Full Time Staff) Splunk Login Activity Dashboard.

Active Directory (AD) Lockouts

AD Lockouts occur after repeated unsuccessful login attempts. Most lockouts clear up on their own after several minutes, but repeated incorrect attempts can cause repeated lockouts. These often occur when old passwords are stored in password stores when trying to log into IllinoisNet Wi-Fi or a network file share. Information can be found here.

Tools for checking AD Lockouts

(IT Pros in the Help Desk Tools Access Program): Cerebro and AD Tools (required to be connected to the campus network).
(IT Pros) Active Directory attribute LockedOut = True or LDAP attribute lockoutTime > 0.
(Help Desk) Splunk Active Directory Lockouts and Activity Dashboard.

Duo Lockouts

Consecutive failed authentication attempts can cause your Duo account to lock out. Additionally, our security team will be notified. If you see that your Duo account is locked out, please wait a while before trying again. If you need to update your devices on file, please see this help article. If you see that your Duo account has been locked out but you haven't been trying to log in recently, please reach out to the Help Desk.

Screenshot showing a Duo lockout screen. It advises that the Duo account has been disabled.

SiteMinder Lockouts

It is possible to get locked out after repeated failed authentications at a SiteMinder login page. If this happens, please wait a while before trying again and make sure you do not have any old saved passwords that are getting autofilled by your browser. If needed, you can reset your password at the NetID Center.

Screenshot showing SiteMinder lockout screen, advising to wait 5 minutes before trying again.


Keywords:
lockout locked out lock ad active directory azure entra id smart siteminder duo 2fa mfa 
Doc ID:
136800
Owned by:
Identity and Access Management in University of Illinois Technology Services
Created:
2024-04-15
Updated:
2024-04-15
Sites:
University of Illinois System, University of Illinois Technology Services