000022282 - Which attribute is used in Microsoft Active Directory can be used to store the locked out (lockout) status in RSA ClearTrust?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022282
Applies ToRSA ClearTrust 5.5.3
Microsoft Active Directory 2003
IssueWhich attribute is used in Microsoft Active Directory can be used to store the locked out (lockout) status in RSA ClearTrust?
ResolutionThe locked out flag is the userAccountControl attribute- specifically, it is mapped to the Microsoft Management Console (MMC) snapin setting of "Enable Account" or "Disable Account". In RSA ClearTrust, this value is also modifiable in the Entitlements Manager (Admin GUI) through the "User is locked out" option button. The userAccountControl attribute is actually a long integer value with the account lockout status, and can be set by setting one of the bits in the flag. For more information, visit the Microsoft web site at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144.

Note that there is a major difference between Active Directory and other datastores with respect to how the user lockout works. In all datastores, ClearTrust sends users to the correct logon error page if the user is locked out. In all datastores, an administrator may lock out a user by explicitly setting the user lockout state. However, in all datastores except Active Directory, the account lockout status is also set automatically when the users password retry count has been exceeded. For Active Directory, ClearTrust does not manage the Active Directory password retry attempts, and the account lockout status is not set when the users password retry count is exceeded. Instead, users who exceed the password retry count set within Active Directory itself are sent to the error page defined for invalid password.
Legacy Article IDa27786

Attachments

    Outcomes