Description:

If you try logging into WAMUI and Active Directory as administrative store, with incorrect password (multiple times), your account may be disabled/locked. "Useraccountcontrol" field of Active Directory is checked during login to WAMUI. If this has value of 514, user would be denied access.

Solution:

When using Active Directory, SiteMinder will automatically check on useraccountcontrol, and pwdlastset, and other AD attributes that are used for password control. And that is without you specifying anything in the disabled flag or password data fields.

SiteMinder will automatically pick it up when a user password has expired, or a user is in force password change mode, etc. This will happen no matter if you are using the AD namespace or the LDAP namespace in the user directory properties.

What value shall I fill up in the DISABLE state field?

The only reason to fill out the fields for disabled flag is if you want to use SiteMinder Password Policies to control password expiration, password content restrictions, etc. If all that is being handled by your AD, and you don't want to use SiteMinder Password Policies, then leave those fields blank. If you do want to use SiteMinder password policies, then you must fill out those fields, and they must be fields that are used by NO other applications. You cannot use useraccountcontrol for example, because SiteMinder has a completely different set of values that it uses for its disabled flag.