RSA Access Manager password policy for automatic user unlock does not work when using an Active Directory user store
Originally Published: 2017-09-21
Article Number
Applies To
RSA Version/Condition: 6.2 and later
Issue
Cause
However, if an Access Manager password policy is used instead, it is necessary to eliminate conflict by making the Access Manager policy more strict than Active Directory's policy.
Access Manager policy can include a rule to automatically lockout a user after several unsuccessful login attempts. The default setting when that occurs, in Access Manager's ldap.conf file, is to also automatically lock the user in Microsoft Windows Active Directory:
cleartrust.data.ldap.user.windows_lockout :true
With the above set to true, after the designated number of unsuccessful login attempts, as expected the user will be both locked in Access Manager and disabled in Active Directory.
Access Manager password policy may also include a rule to automatically unlock a locked user after a certain period of elapsed time. However, when Access Manager's lockout time period elapses and Access Manager unlocks the user, the user remains as disabled in Active Directory and so is still unable to access resources.
Resolution
cleartrust.data.ldap.user.windows_lockout :true
With this setting, the user is locked out in Access Manager but not disabled in Active Directory. So, when the time has elapsed for Access Manager to unlock the user, the user will still be enabled in Active Directory, and will immediately be able to access resources once again.
Notes
- To be able to use an Access Manager password policy with Active Directory, you must manually add a ctscUserAuxClass auxiliary object as specified in the Installation Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP4 Installation and Configuration Guide, sections "Optional Attributes for an Access Manager Server User Entry" and "Manually Add the Auxiliary User Class in AD" on pp. 170-172.
- For more information about password policies, refer to the Administrator's Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP3 Administrator’s Guide (which is for both SP3 and SP4), section "Password Policies" on pp. 23-28, including subsection "Lock Out (optional)" on p. 26.
Related Articles
How to unlock Windows machine using password instead of passcode for RSA Authentication Agent for Windows Number of Views RSA Identity Governance & Lifecycle 7.0.2 Workflow hangs when loading with error "content must be served over HTTPS error" Number of Views Using Vault instead of cleartext password in WildFly configuration file in RSA Identity Governance & Lifecycle Number of Views Identity Confirmation questions not displayed for RSA Via Lifecycle & Governance while using external password reset Number of Views FIM - FIPS 140-2 compliance. TLS1 ciphers Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
