000030150 - Incorrect passcode under certain conditions from CA Siteminder to RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 6, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030150
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
  • User lockout is set to four incorrect passcodes.  
  • If  testing with the CA Siteminder and three bad tokencodes are given, the user is now set to Next Tokencode Mode.
  • The CA Siteminder does not relay that the user is in Next Tokencode Mode to the user.  
  • The next time the user tries to login and gives the correct passcode, the CA Siteminder sends an incorrect passcode message to Authentication Manager and gives the user the message that they are in Next Tokencode Mode and to input the next tokencode.  
  • Because the site was set up for four incorrect passcodes to lock a user, the user is now locked.  
  • This works as documented for various RSA Authentication Agents (Windows, PAM, etc.) 
  • It is only the CA Siteminder that appears to do this.
CauseAfter discussing this with the head of the RSA Partner group, it is reported that this is a 'feature' of CA Siteminder.
ResolutionAs a resolution, either set the number of incorrect passcodes needed to five or use some other agent besides CA Siteminder.
WorkaroundEither set the number of incorrect passcodes needed to five or use some other agent besides CA Siteminder.

Attachments

    Outcomes