Typically, what has happened is that the user's credentials have been used for a service of some kind on another computer within the network.
When Active Directory requires the user change his/her password, the changed password does not get reflected in the service that the account was added to.
This will lead to continual attempts by that service to authenticate using expired credentials for the user, and this may cause the account to be locked in Active Directory.
To find the computer that is causing this issue, a Policy Trace of the authentication requests made to the ProxySG will be necessary.
Use the following steps to set up this trace:
1. Open VPM within the Management Console.
2. Open the Web Authentication later that holds the IWA/IWA Direct based Authentication Rules.
3. For each rule in this layer that authenticates users, a trace will be added:
* In the track cell for the authentication rule, right click and choose Set.
* Provide a name for the trace (this is what you will see in the rule).
* Ensure Verbose Tracing is checked.
* Provide a filename of the trace (this is what the actual file will be called).
* Click OK, then OK at the previous window.
4. Add this same trace to each rule within the Web Authentication Layer that would be responsible for authenticating this particular user.
All authentication requests that are made by the ProxySG will now be logged to this trace file. After the user lockout occurs, you will then be able to search this trace file for all transactions related to that particular user and then determine what IP addresses the requests came from, narrowing the search for the service that has the expired credentials.
To view the Trace file after the activity has occurred, browse to https://proxyip:8082/policy to view/download the trace file for analysis.
It is highly recommended that the ProxySG be monitored closely while this Trace is active, as it will require more resources than the ProxySG typically uses. Ensure that the Trace will not be too resource intensive on the ProxySG before letting it run unattended for long periods of time.