Why am I getting user account lockout issues when a User ID exists on 2 user Directories attached to siteminder Domain ?

book

Article ID: 40238

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Question: 

We have 2 User Directories in a siteminder Domain where a user ID exists on both, but the passwords are different and a user authenticates with the password from the second UD then the invalid password account on the first increments. After a few authentication attempts that account is then be locked.

Is this a defect?

Environment:  

SiteMinder Policy Server Version: R12 SP3 & R12.52

User Store Database1: oracle 11g

User Store Database2: oracle 11g

Answer: 

This is working as expected and not a defect.

 

Use Case1) If User Directories configured in this order UD1, UD2 and user makes login attempt with correct password from UD1 ( first in the list), Policy server will not try to authenticate against second Directory and user will not be locked.

 

Use Case2) If you try to Authenticate using password from UD2 , Policy Server will first try UD1 will fail and move to next directory UD2 and succeed, but failed login attempt will be registered against UD1 and this is expected behavior.

 

 

You may want to consult CA services to consider other config/options that may suit your business needs.

Environment

Release:
Component: SMPLC