Password policies are not working as expected

book

Article ID: 195567

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

A common scenario is to manage Active Directory passwords with CA Identity Manager. 

 

For example:

Account disabled after 3 successive incorrect passwords or Password expires if not changed

 

However, this does not appear to work.  IDM (CA Identity Manager) appears to be in a disabled state based on the IDM password policy but it is not reflecting in Active Directory. 

Cause

This is working as designed.

Environment

Release : 14.3 CP1

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

The Password Services tasks in IM are "audited" tasks and not an executed task. This means that changes will only happen against the IDM user. This prevents an already logged in user from locking out all their endpoint accounts.

 

Example: A worker is logged into their physical machine at work and tries to perform actions within IDM when they attempt to log in with 3 failed attempts and are locked out of IDM. If IDM did the sync the same individual would be locked out of all their endpoints including their physical machine (Active Directory). 

Additional Information

To overcome these difficulties, it is recommended that the password policies for IM and Active Directory (AD) are synch'd and that daily E&C (Explore and Correlate) tasks are executed to keep IM in sync with AD (AD acting as the authoritative source).  We also recommend the use of the PSA (Password Sync Agent) .