000021547 - badPwdCount incremented multiple times in Active Directory for a single failed attempt at logon to RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000021547
Applies ToMicrosoft Active Directory
Microsoft Windows 2000 Server SP4
RSA ClearTrust 5.5 Authorization Server (AServer)
IssuebadPwdCount incremented multiple times in Active Directory for a single failed attempt at logon to RSA ClearTrust
badPwdCount incremented multiple times in Active Directory for a single failed attempt at logon.  As a result, the user account may reach the account lockout limit with fewer attempted logons than the limit.
ResolutionThis issue is resolved in hot fix 5.5.2.42 for RSA ClearTrust Servers. Contact RSA Security Customer Support to request this hot fix, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). Review the provided Readme file for installation instructions.

This hot fix corrects a number of problems in the Active Directory connection pool for activedirectory-bind. When using Active Directory as the datastore for ClearTrust, a second LDAP connection, activedirectory-bind, is required for authentication of user accounts. The authorizations server maintains a connection pool through which it rotates. When a user logs on with an invalid password, the auth server attempts to bind with those credentials and fails, but prior to attempting to bind, the auth server tests the connection with the existing credentials for the connection. Prior to this hot fix, those incorrect credentials were retained in that connection, so the next time that connection came up for use, the invalid credentials were used to test the state of the connection, causing an invalid logon attempt and incrementing the badPwdCount. With the use of keepalives, the every connection was guaranteed to be tested within a set time frame, guaranteeing that the invalid credentials would be reused.

NOTE: Following this hot fix, invalid credentials are replaced with the administrative account credentials under which the connection was first opened.

For more information, see solution RSA ClearTrust users occasionally unable to authenticate using valid username and password.
Legacy Article IDa23622

Attachments

    Outcomes