Update adds feature to lock out user accounts that use FBA with Active Directory or with LDAP authentication in a Forefront Threat Management Gateway 2010 environment

To add the account lockout feature for FBA, install the service pack that is described in the following Microsoft Knowledge Base article:

After you apply Service Pack 2, you can configure the account lockout feature by using the Forefront TMG Administration Object Model. To do this, configure the following properties for the WebListenerProperties object, and then set the properties per listener:

• EnableAccountLockout
• AccountLockoutThreshold
• AccountLockoutResetTime

If the EnableAccountLockout property is set to True and if the value for the AccountLockoutThreshold property for consecutive failed logon attempts for a user is exceeded, the account is locked based on the AccountLockoutResetTime value in seconds.

Note "Consecutive failed logon attempts" means that the time period between two failed logon attempts is no more than the AccountLockoutResetTime value in seconds and that there were no successful logons in between attempts.

Please also note the following:

• The lockout counter for FBA that is described here is local to each TMG computer.
• If the Active Directory account lockout is configured for greater values than its thresholds, the lockout will be triggered before the FBA local lockout. This is likely to defeat the purpose of having this protection in place.

Following is an example of a script that can be used to enable the TMG Soft Account Lockout feature that is described in this article. Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. 

1. Copy the following script into a Notepad file, then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension. Make sure that you change the value for WebListenerName as appropriate for your environment.
   
   
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' Script for enabling TMG Soft Account Lockout described in KB 2619987
   
   Option Explicit
   Dim WebListenerName,newEnableAccountLockout,newAccountLockoutThreshold,newAccountLockoutResetTime
   
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' SET YOUR VALUES HERE
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   ' Rule name where you want to change the EnableAccountLockout parameter
   
   WebListenerName = "YourWebListenerName"
   
   ''''''''''''''''''''''''''''''''''
   ' Set here custom values
   ' Remember: If the EnableAccountLockout property is set to True and the
   ' value for the AccountLockoutThreshold property for consecutive failed
   ' logon attempts for a user is exceeded, the account is locked based on
   ' the AccountLockoutResetTime value in seconds.
   
   newEnableAccountLockout = True
   newAccountLockoutThreshold = 2
   newAccountLockoutResetTime = 60
   
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' Begin
   
   Dim Root, Array, WebListeners, WL, intCompare
   
   Set Root = CreateObject("FPC.Root")
   Set Array = Root.GetContainingArray
   Set WebListeners = Array.RuleElements.WebListeners
   
   ''''''''''''''''''''''''''''''''''
   ' Look for the WebListener
   
   For Each WL in WebListeners
   Wscript.Echo " Comparing WebListener name |" & WebListenerName & "| with |" & WL.Name & "|"
   intCompare = StrComp(WebListenerName, WL.Name, vbTextCompare)
   If intCompare = 0 then
   Exit For
   End If
   Next
   
   Wscript.Echo
   Wscript.Echo "Found WebListener with description: |" & WL.Description & "|"
   
   ''''''''''''''''''''''''''''''''''
   ' Show values
   
   Wscript.Echo
   Wscript.Echo "***** CURRENT VALUES: "
   Wscript.Echo "** EnableAccountLockout = |" & WL.Properties.EnableAccountLockout & "|"
   Wscript.Echo "** AccountLockoutThreshold = |" & WL.Properties.AccountLockoutThreshold & "|"
   Wscript.Echo "** AccountLockoutResetTime = |" & WL.Properties.AccountLockoutResetTime & "|"
   Wscript.Echo "***** NEW VALUES: "
   Wscript.Echo "** EnableAccountLockout = |" & newEnableAccountLockout & "|"
   Wscript.Echo "** AccountLockoutThreshold = |" & newAccountLockoutThreshold & "|"
   Wscript.Echo "** AccountLockoutResetTime = |" & newAccountLockoutResetTime & "|"
   
   ''''''''''''''''''''''''''''''''''
   ' Warning and ask to continue
   
   Dim strMessage
   WScript.Echo ' newline
   Wscript.Echo "Please check if the previous information is correct and you want to apply the changes"
   strMessage = "Press any key to continue or Ctrl+C to cancel"
   WScript.Echo ' newline
   WScript.StdOut.Write strMessage
   Do While Not WScript.StdIn.AtEndOfLine
   Input = WScript.StdIn.Read(1)
   Loop
   
   ''''''''''''''''''''''''''''''''''
   ' Set new values
   
   WL.Properties.EnableAccountLockout = newEnableAccountLockout
   WL.Properties.AccountLockoutThreshold = newAccountLockoutThreshold
   WL.Properties.AccountLockoutResetTime = newAccountLockoutResetTime
   
   Wscript.Echo "***** CURRENT VALUES: "
   Wscript.Echo "** EnableAccountLockout = |" & WL.Properties.EnableAccountLockout & "|"
   Wscript.Echo "** AccountLockoutThreshold = |" & WL.Properties.AccountLockoutThreshold & "|"
   Wscript.Echo "** AccountLockoutResetTime = |" & WL.Properties.AccountLockoutResetTime & "|"
   
   WL.Properties.Save
   
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   
2. Save the file to a temporary folder. For example, save the file as "EnableSoftLockout.vbs," and then save the file to the C:\EnableSoftLockout folder. 
3. At a command prompt, move to the location to which you saved the .vbs file in step 2, and then run the .vbs file. For example, run the following commands:
   
   CD C:\EnableSoftLockout
   cscript EnableSoftLockout.vbs