SiteMinder Password Policy is not invoked
search cancel

SiteMinder Password Policy is not invoked


Article ID: 35742


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



SiteMinder Password Policy is created against Active Directory User Store with LDAP namespace, to disable the user after 3 successive incorrect password login.

The user is continuously getting prompted after 3 successive failed logins. With Enhanced AD Integration disabled, the user is redirected to the SiteMinder Password Policy page accordingly.




accountExpires and badPwdCount are the additional Active Directory (AD) native attributes that Policy Server validates when Enhanced AD Integration is enabled. Hence, if the user account is expired or the bad password count has reached its limit on the Active Directory (AD) end, the password policy will be triggered on the next login and the user will be redirected to the SiteMinder password policy page.

With Enhanced AD integration disabled, PS will rely on userAccountControl and SM Disabled Flag attributes to determine user status.

Additionally, if the User Directory has a native Password Policy, this policy must be less restrictive than the SiteMinder Password Policy or disabled.

When both SiteMinder and Active Directory (AD) native password policies are set to disable the user after 3 successive failed logins causing conflict between both password policies.




Update the Active Directory (AD) native password policy to be less restrictive – disable user after 4 successive failed logins.


Update SiteMinder password policy to be more restrictive – disable user after 2 successive failed logins.


Disable Active Directory (AD) native password policy.