Scenario: You’ve partnered with a company who is testing a new software application that uses PowerShell Web Access. You’ve provided this company with an Active Directory account named “Joe Doe”. This account is only allowed to sign into the PowerShell Web Access interface of a server named WWW in the mikefrobbins.com domain. Password policies in this domain use the default settings.
Forty-two days after the account was created, you receive an email from the partner company asking if something has been reconfigured because they are unable to sign into PowerShell Web Access. They are receiving the error Sign-in failed. Verify that you have entered your credentials correctly. when attempting to log in:
Upon checking their Active Directory account, you discover that the password for the “John Doe” account is expired:
Since you’ve only granted this user access to sign into PowerShell Web Access, they have no mechanism to change their password once it’s expired, and although against security best practices, you decide to set the password for their account to never expire:
John Doe is now able to log into PowerShell Web Access without issue:
One thing to note is that any account related issue such as incorrectly entering your password, the account being locked out, or the account being expired will all generate this same generic error message when trying to log into PowerShell Web Access:
Sign-in failed. Verify that you have entered your credentials correctly.
So how do you determine what the actual cause of the error is? There are a number of different ways, but one of the scripts that I wrote for the PowerShell Deep Dives book can simplify the process of determining what the cause of the problem is in this scenario and any scenario where an Active Directory account is experiencing logon attempt failures regardless if it’s an IIS server, Exchange server, SQL server, SharePoint server, etc. This script is named “Get-LogonFailures.ps1″ and by running it against the PowerShell Web Access server in this scenario we can see exactly why they’re unable to logon. I went through a few different scenarios so you could see failures due to the users account being expired, entering their password incorrectly, and their password being expired. The following image displays a subset of the columns returned by the script:
Interested in obtaining the Get-LogonFailures.ps1 script? It’s Listing #1 in Chapter 6 of the PowerShell Deep Dives book which is currently available via the Manning Early Access Program (MEAP).