Thanks to SCOM and the Lync 2013 management pack, I came across the following error happening on Lync 2013 front-ends
Log Name: Lync Server Source: LS UserPin Service Date: 3/26/2014 3:51:14 PM Event ID: 47066 Task Category: (1044) Level: Error Keywords: Classic User: N/A Computer: FE3.ad.domain.com Description: Found users who are already or about to be permanently locked
The following users are either permanently locked out, or about to be permanently locked out:-
1. User: firstname.lastname@example.org, FailedLogonAttempts: 5000, MaximumFailedAttemptsAllowed: 5000 2. User: email@example.com, FailedLogonAttempts: 5000, MaximumFailedAttemptsAllowed: 5000
Cause: The affected users might be using very old pin, or they are under denial of service and spoofing attacks. Resolution: Please get in touch with the affected users and ask them to change their pins. Examine server logs to verify that this was not an intentional attack.
This appears to be an undocumented error message, and an undocumented lockout feature. (This is of course no surprise administering Lync — don’t you recall a time in the past when Microsoft products at least had all the error messages it could produce documented on TechNet?). The only hits on web searches are the SCOM MP dumps on Viacode.
So, here is some documentation. Basically, in our scenario, these ended up being common area phones that had their pin changed or updated at some point, and that never got updated on the Lync Phone Edition end. These phones are out there still plugged into the network and still chugging away at attempting to register repeatedly. Looking at logs, they are even still hitting our old Lync 2010 pool first, because apparently they are not using DHCP options to contact the new pool, they are relying on their old cache. They also continue to grab LPE firmware updates, which actually work even though their authentication is bad, since internally no successful authentication is required to download an update.
I also think this is an interesting find because I can’t see anywhere (at least readily) where there is documentation that there is a 5000 attempt lockout on PIN authentication. The lockout is a good thing… so I guess it is documented here now!