SM password policy is not invoked

book

Article ID: 35742

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

ISSUE:

SM password policy is created against Active Directory user store with LDAP namespace, to disable user after 3 successive incorrect password login.

User is continuously getting prompt after 3 successive failed login. With Enhanced AD Integration disabled, user is redirected to the SM password policy page accordingly.

 

CAUSE:

accountExpires and badPwdCount are the additional AD native attributes that Policy Server validates, when Enhanced AD Integration enabled. Hence, if user account is expired or bad password count has reached its limit on AD end, password policy will be triggered on next login and user will be redirected to the SM password policy page.

With Enhanced AD integration disabled, PS will rely on userAccountControl and SM Disabled Flag attributes to determine user status.

Additionally, if user directory has a native password policy, this policy must be less restrictive than the SM password policy or disabled.

 

Customer has both SM and AD native password policy set to disable user after 3 successive failed login causing conflict between both password policies.

 

RESOLUTIONS:

Update the AD native password policy to be less restrictive – disable user after 4 successive failed login.

OR

Update SM password policy to be more restrictive – disable user after 2 successive failed login.

OR

 

Disable AD native password policy.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: