Our teams have determined the best way to resolve excessive emails being sent regarding locked tokens is due to the use of duplicate fail over SAS URL's being used in tools like Windows Credential Providers.
The multiple locked token emails stem from the secondary SAS URLl's. If I have offline cache mode off, and both the primary and secondary SAS URL's point to the same or valid servers, The Logon Agent / Windows Credential Provider will try the secondary if the primary SAS fails.
Each attempt will generate locked token email to the user and to the site admins.
Example: Two 2FA admins, one user with a locked token generate 6 emails instead of the expected three. This means that if the user has Radius installed with a primary and secondary sas, 12 emails could be generated. etc.
Note: If you have more then one 2FA user account that is a Site Admin then each Site Admin User account will receive a notification for a locked token user.
Example;
2FA Standard User
Username: jsmith.
Email address: jsmith@scorpionlabs.com
2FA Grouped user
Username: jsmith@scorpionlabs.com
Email address: jsmith@scorpionlabs.com
Both of the above users are Admins, each user would be sent a notification when a user locks there token.
The fail over SAS should be not be set to the same as the primary SAS, as this is redundant. Setting the secondary, if there is no valid secondary, to 'localhost' alleviates this issue
AuthAnvil Windows Logon Agent / Credential Provider
Once installed the a Secondary SAS URL can be updated in the Registry HKLM/Software/Scorpion Software/AuthAnvilLogon
Note: Set the secondary URL to use localhost to stop it attempting to connect the primary server.
AuthAnvil RADIUS server
For the RADIUS server, you can set up and primary and a secondary SAS URL. You will want to make sure the Secondary URL is disabled or set to "localhost".
The Secondary SAS can be modified by editing AuthAnvilRadius.exe.config located in "C:\Program Files\Scorpion Software\AuthAnvil Radius Server\AuthAnvilRadius.exe.config".
<add key="AuthAnvilSAS" value="http://auth.scorpionlabs.com/AuthAnvil/SAS.asmx"/>
<add key="AuthAnvilSecondarySAS" value="http://localhost/AuthAnvil/SAS.asmx"/>
Note: You can either delete the second line, or use the example above for the secondary URL.
Questions?
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.