RSA Access Manager password policy for automatic user unlock does not work when using an Active Directory user store
Originally Published: 2017-09-21
Article Number
Applies To
RSA Version/Condition: 6.2 and later
Issue
Cause
However, if an Access Manager password policy is used instead, it is necessary to eliminate conflict by making the Access Manager policy more strict than Active Directory's policy.
Access Manager policy can include a rule to automatically lockout a user after several unsuccessful login attempts. The default setting when that occurs, in Access Manager's ldap.conf file, is to also automatically lock the user in Microsoft Windows Active Directory:
cleartrust.data.ldap.user.windows_lockout :true
With the above set to true, after the designated number of unsuccessful login attempts, as expected the user will be both locked in Access Manager and disabled in Active Directory.
Access Manager password policy may also include a rule to automatically unlock a locked user after a certain period of elapsed time. However, when Access Manager's lockout time period elapses and Access Manager unlocks the user, the user remains as disabled in Active Directory and so is still unable to access resources.
Resolution
cleartrust.data.ldap.user.windows_lockout :true
With this setting, the user is locked out in Access Manager but not disabled in Active Directory. So, when the time has elapsed for Access Manager to unlock the user, the user will still be enabled in Active Directory, and will immediately be able to access resources once again.
Notes
- To be able to use an Access Manager password policy with Active Directory, you must manually add a ctscUserAuxClass auxiliary object as specified in the Installation Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP4 Installation and Configuration Guide, sections "Optional Attributes for an Access Manager Server User Entry" and "Manually Add the Auxiliary User Class in AD" on pp. 170-172.
- For more information about password policies, refer to the Administrator's Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP3 Administrator’s Guide (which is for both SP3 and SP4), section "Password Policies" on pp. 23-28, including subsection "Lock Out (optional)" on p. 26.
Related Articles
Cleanup WTD Incidents table (postgreSQL) Number of Views Events and incidents mark as deleted automatically Number of Views Email Phishing Security Incident Alert – November 8, 2024 Number of Views How do you merge FSM audit logs? Number of Views Windows collection has stopped working but did work in the past. Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server How to troubleshoot Oracle database ORA-04030 errors in RSA Identity Governance & Lifecycle RSA Authentication Manager Upgrade Process Microsoft SQL Server Collectors can no longer connect to the SQL Server database after upgrade to Microsoft SQL Server 201…
Don't see what you're looking for?
