RSA Access Manager password policy for automatic user unlock does not work when using an Active Directory user store
Originally Published: 2017-09-21
Article Number
Applies To
RSA Version/Condition: 6.2 and later
Issue
Cause
However, if an Access Manager password policy is used instead, it is necessary to eliminate conflict by making the Access Manager policy more strict than Active Directory's policy.
Access Manager policy can include a rule to automatically lockout a user after several unsuccessful login attempts. The default setting when that occurs, in Access Manager's ldap.conf file, is to also automatically lock the user in Microsoft Windows Active Directory:
cleartrust.data.ldap.user.windows_lockout :true
With the above set to true, after the designated number of unsuccessful login attempts, as expected the user will be both locked in Access Manager and disabled in Active Directory.
Access Manager password policy may also include a rule to automatically unlock a locked user after a certain period of elapsed time. However, when Access Manager's lockout time period elapses and Access Manager unlocks the user, the user remains as disabled in Active Directory and so is still unable to access resources.
Resolution
cleartrust.data.ldap.user.windows_lockout :true
With this setting, the user is locked out in Access Manager but not disabled in Active Directory. So, when the time has elapsed for Access Manager to unlock the user, the user will still be enabled in Active Directory, and will immediately be able to access resources once again.
Notes
- To be able to use an Access Manager password policy with Active Directory, you must manually add a ctscUserAuxClass auxiliary object as specified in the Installation Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP4 Installation and Configuration Guide, sections "Optional Attributes for an Access Manager Server User Entry" and "Manually Add the Auxiliary User Class in AD" on pp. 170-172.
- For more information about password policies, refer to the Administrator's Guide for your Access Manager version. For example, RSA Access Manager Server 6.2 SP3 Administrator’s Guide (which is for both SP3 and SP4), section "Password Policies" on pp. 23-28, including subsection "Lock Out (optional)" on p. 26.
Related Articles
Cleanup WTD Incidents table (postgreSQL) Number of Views Events and incidents mark as deleted automatically Number of Views Email Phishing Security Incident Alert – November 8, 2024 Number of Views Leaver Rule–Deprovision is not moving Disabled Accounts to the Disabled OU in RSA Governance & Lifecycle Number of Views Which ports need to be opened between the Domain Controller and Thor Xellerate server for password synchronization? Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
