000035573 - RSA Access Manager password policy for automatic user unlock does not work when using an Active Directory user store

Document created by RSA Customer Support Employee on Jan 27, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035573
Applies ToRSA Product Set: Access Manager
RSA Version/Condition: 6.2 and later
IssueAutomatic user unlocks according to an RSA Access Manager policy does not work when using a Microsoft Windows Active Directory user store. After the lock period has elapsed, the user is unlocked in Access Manager, but is disabled in Active Directory and so is unable to access resources.
CauseWhen using RSA Access Manager with Microsoft Windows Active Directory as a data store, it is recommended to use Active Directory's own password policy.
However, if an Access Manager password policy is used instead, it is necessary to eliminate conflict by making the Access Manager policy more strict than Active Directory's policy.
Access Manager policy can include a rule to automatically lockout a user after several unsuccessful login attempts. The default setting when that occurs, in Access Manager's ldap.conf file, is to also automatically lock the user in Microsoft Windows Active Directory:

cleartrust.data.ldap.user.windows_lockout :true

With the above set to true, after the designated number of unsuccessful login attempts, as expected the user will be both locked in Access Manager and disabled in Active Directory. 
Access Manager password policy may also include a rule to automatically unlock a locked user after a certain period of elapsed time.  However, when Access Manager's lockout time period elapses and Access Manager unlocks the user, the user remains as disabled in Active Directory and so is still unable to access resources.
ResolutionEdit Access Manager's ldap.conf file to turn off Microsoft Windows lockout:

cleartrust.data.ldap.user.windows_lockout :true

With this setting, the user is locked out in Access Manager but not disabled in Active Directory. So, when the time has elapsed for Access Manager to unlock the user, the user will still be enabled in Active Directory, and will immediately be able to access resources once again.
  • To be able to use an Access Manager password policy with Active Directory, you must manually add a ctscUserAuxClass auxiliary object as specified in the Installation Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP4 Installation and Configuration Guide, sections "Optional Attributes for an Access Manager Server User Entry" and "Manually Add the Auxiliary User Class in AD" on pp. 170-172.
  • For more information about password policies, refer to the Administrator's Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP3 Administrator’s Guide (which is for both SP3 and SP4), section "Password Policies" on pp. 23-28, including subsection "Lock Out (optional)" on p. 26.