search cancel

Sm_dsiabled_flag not updated when password status DISABLE_MAXLOGINFAIL

book

Article ID: 203543

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server and when the user tries to login after 15
minutes providing the expected password, the SM_DISBALE_FLAG value is
not getting change to 4 and it keeps being set to 6 (disabled for
inactivity 4 + max failed login 2).

How can the value come back to 4 (disabled for inactivity) once the
user waits for 15 minutes and uses the expected password ?

 

Environment

 

  Policy Server 12.8SP3 on RedHat 6;
  User Directory on Oracle 12cR2 (12.2.0.1.0); 

 

Cause

 

The logic of the product is that, to remove the number 2, we need to
enable back the account. As the account is already disabled for
inactivity "4", and as the only way to enable it back is by doing it
manually from the AdminUI, so the disable value 6 cannot be set back
to 4.

To reset "Account disabled after successive incorrect password", which
is value "2" would mean to enable the account. But this cannot be done
because the user is already disabled for inactivity, and the only way
to enable it again is to enable it again using the AdminUI (1).

Once the value 6 is set for the user, the only way to get another
value than 6 is to re-enable the user using the AdminUI as specified
by the documentation above.

As this is the only way to get the user enabled, so it has preceedence
on the maxlogin fails. So out of the box, even if the value 6 for
disable flag, as long as the account has "disable for inactivity",
Policy Server won't let the user login and set the value only to 4.

To illustrate :

Set the Password Policy with :

  Incorrect Password
  Account disabled after successive incorrect password 4
  After minutes 5
  Allow 1 login attempt

  Password expires from inactivity
  After days 1
  Disable user

  
User logs in first. The next day, user tries to login once
again. Disable flag becomes 4. User tries to login 4 times with the
wrong password. Disable flag becomes 6. User waits for 5 minutes. User
tries to login with the correct password but it can't login, and the
value keeps being 6.

If "Password expires from inactivity" isn't configured, so the disable
flag value gets to 2 when trying 4 times bad password. This value
comes back to 0 when waiting 5 minutes and using the correct password.

 

Resolution

 

To reset "Account disabled after successive incorrect password", which
is value "2" would mean to enable the account. But this cannot be done
because the user is already disabled for inactivity, and the only way
to enable it again is to enable it again using the AdminUI (1).

 

Additional Information

 

(1)

    disable user

      If selected, specifies that when a users password expires due to
      inactivity, the Policy Server disables the user. Disabled users must
      then be enabled using the User Management dialog

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/password-services-dialog-reference/expiration-tab.html