|Applies To||RSA Product Set: Access Manager|
RSA Version/Condition: 6.2 and later
|Issue||Automatic user unlocks according to an RSA Access Manager policy does not work when using a Microsoft Windows Active Directory user store. After the lock period has elapsed, the user is unlocked in Access Manager, but is disabled in Active Directory and so is unable to access resources.|
|Cause||When using RSA Access Manager with Microsoft Windows Active Directory as a data store, it is recommended to use Active Directory's own password policy.|
However, if an Access Manager password policy is used instead, it is necessary to eliminate conflict by making the Access Manager policy more strict than Active Directory's policy.
Access Manager policy can include a rule to automatically lockout a user after several unsuccessful login attempts. The default setting when that occurs, in Access Manager's ldap.conf file, is to also automatically lock the user in Microsoft Windows Active Directory:
With the above set to true, after the designated number of unsuccessful login attempts, as expected the user will be both locked in Access Manager and disabled in Active Directory.
Access Manager password policy may also include a rule to automatically unlock a locked user after a certain period of elapsed time. However, when Access Manager's lockout time period elapses and Access Manager unlocks the user, the user remains as disabled in Active Directory and so is still unable to access resources.
|Resolution||Edit Access Manager's ldap.conf file to turn off Microsoft Windows lockout:|
With this setting, the user is locked out in Access Manager but not disabled in Active Directory. So, when the time has elapsed for Access Manager to unlock the user, the user will still be enabled in Active Directory, and will immediately be able to access resources once again.