I have a customer that we are doing a transition from Exchange 2003 to 2007. There are 2 CAS/Hub Servers, a CCR mailbox server, and a mailbox server dedicated to public folders.ISA server receives all requests for OWA.Externally, users accounts are locked out after unsuccessful login even though the password policy is 3 failed attempts (does not matter if the mailbox is on 2003 or 2007). Internally, it is two unsuccessful logins before the account it locked out.I have asked them to turn on logging for account lock out.Any ideas on what else I should look at or other suggestions?

What’s the browser you used, Internet Explorer? Does the issue happen permanently? Although the result of the issue is the logon failure of the exchange mailbox, the symptom is the AD object lockout. I would suggest you to use the references and tools below for troubleshooting Resources: Account Lockout and Password Concepts Configuring Account Lockout Maintaining and Monitoring Account LockoutJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Thanks for the reply James!Yes they are using IE for the browserIt does lock them out per the policy - helpdesk has to unlockThe issue does not happen on the workstation - if the user types their password wrong 3 times the account is locked out. If it is done in OWA - external to the network - 1 incorrect password locks the account and internal to the network 2 times locks the account.I am familiar with the resources you provided and I believe that the domain policy is working as it should - partially due to the fact that it works as expected on the workstations.Other ideas?-Eric

Please bypass ISA, and logon the OWA on the CAS directly, see if the issue still persists Please monitor the IIS log, as the issue only happens when using OWAJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Any update?James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

We have opened a case with MS pro support.I will let you know what we find.

Cool :)James Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

Hey Guys, I'm having the same problems, did you guys figure out the solution for this?

Not as of yet. MS has asked us to move the lockout policy from a policy they created and move it back to the default domain policy. We are hoping to make the change in the next week or so.

Hmm, strange issue. Thanks for update.

That did not fix it for us....the search continues. I will let you know if we find anything.

I wonder if it's a bug in OWA 2007. My client doesn't have ISA installed. Users connect to CAS server to access OWA.

I doubt it, we have many 2007 deployments that don't have this issue.

Any solution to this? We, too, have had such an issue for some time now. Our admin has essentially given up, stating it's not occurring, but it definitely is occurring.

It is possibly an IIS 7 issue. Read these.... http://blogs.iis.net/brian-murphy-booth/archive/2009/10/19/iis7-using-basic-authentication-may-cause-premature-user-lockouts.aspx http://support.microsoft.com/kb/981280