This issue is resolved in hot fix 5.5.2.42 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.
This hot fix corrects a number of problems in the Active Directory connection pool for activedirectory-bind. When using Active Directory as the datastore for ClearTrust, a second LDAP connection, activedirectory-bind, is required for authentication of user accounts. The authorizations server maintains a connection pool through which it rotates. When a user logs on with an invalid password, the auth server attempts to bind with those credentials and fails, but prior to attempting to bind, the auth server tests the connection with the existing credentials for the connection. Prior to this hot fix, those incorrect credentials were retained in that connection, so the next time that connection came up for use, the invalid credentials were used to test the state of the connection, causing an invalid logon attempt and incrementing the badPwdCount. With the use of keepalives, the every connection was guaranteed to be tested within a set time frame, guaranteeing that the invalid credentials would be reused.
NOTE: Following this hot fix, invalid credentials are replaced with the administrative account credentials under which the connection was first opened.
For more information, see solution
RSA ClearTrust users occasionally unable to authenticate using valid username and password.
