The NHSmail platform is designed to lockout an account where incorrect or incomplete credentials are used in an attempt to access an nhs.net account on multiple occasions.
Although the cause of an account receiving frequent lockouts tends to be due to a device consisting of either outdated or incorrect credentials polling the NHSmail platform, there are some environmental factors that can significantly contribute to account lockouts within an organisation. The following hints and tips have been documented to assist organisations in scenarios where high volumes of lockouts are being observed across a broad range of users.
Local Group Policy Objects
Many organisations will utilise Group Policy Objects (GPO’s) as part of applying configuration settings to machines/devices connected to the organisations local network. In some cases, GPO’s that are associated with the Microsoft Autodiscover service to dynamically input the users email address into the Username field when initialising the Outlook client can have a negative impact on lockout behaviour.
Organisations who use GPO’s should review all applied policies/scripts to ensure no misconfiguration is present that may be interfering with how a user account is populated within the Outlook client at logon. Instances where a policy or script is falsely adding default credentials against a prepopulated nhs.net email account will in most cases cause a bad authentication attempt leading to a lockout of the account being triggered. To assist with ruling out if GPO’s are causing account lockouts to occur across the organisations userbase, the organisation may want to consider disabling any Outlook related GPO’s for a subset of users to then monitor any changes in lockout behaviour.
User Accounts (On Premise & NHS.net)
In addition to ensuring any active GPO’s are applying the correct configuration to the machines/devices connected to the organisations local network, scenarios have arisen whereby the organisations on-premise user account is incorrectly associated with credentials intended for an NHS.net account. Because of this mismatch, the authentication attempt fails.
Example:
A user’s on-premise account username is firstname.lastname@local.nhs.co.uk. Their NHS.net account username is firstname.lastname@nhs.net. In some scenarios, it has been observed that the on-premise account username is incorrectly used in place of the nhs.net account username which because the credentials are different, causes a failed authentication. It should be noted that in this scenario, a bad authentication attempt would not be logged against the nhs.net account as the authentication attempt was made against the on-premise account.
Where it is identified that a mismatch of on-premise account usernames is being incorrectly associated with nhs.net credentials as explained in the above example, the following actions may assist with isolating the cause.
- Disable any applied policies that may auto populate the on-premise domain
- Disable any software management/policy deployment software from the affected device/machine
Last Reviewed Date | 4/2/2020 |