000030150 - Authetnication Manager 8.1 passcode shown as incorrect passcode under certain conditions with CA Siteminder.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030150
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
IssueCustomer has his user lockout set to 4 incorrect passcodes.  If he tests the CA Siteminder and gives 3 bad tokencodes where he is now set to 'next tokencode' mode, the CA Siteminder does not relay that to the user.  The next time the user tries to login and gives the correct Passcode, the CA Siteminder actually sends an Incorrect Passcode to the 8.1 Auth Manager and gives the user the message that they are in 'next tokencode' mode and to give the very next token.  Because the site was set up for 4 incorrect passcodes to lock a user, the user is now locked.  Customer was very concerned since he had really only given 3 incorrect passcodes and if he uses an Authentication Agent for Windows or PAM Agent, this actually works.  It's only the CA Siteminder that appears to do this.
CauseAfter discussing this with the Head of the Partner Group, discovered this is a 'feature' of CA Siteminder.
ResolutionCustomer can either set the number of incorrect passcodes needed to 5 or use some other agent besides CA Siteminder.
WorkaroundCustomer can either set the number of incorrect passcodes needed to 5 or use some other agent besides CA Siteminder.

Attachments

    Outcomes