I have configured RSA with my local Active Directory configured as an identity source. I am using RSA AM 7.4. Is it possible to configure RSA to lock my Active Directory account when the wrong passcode has been entered 3 consecutive times?
I have configured RSA with my local Active Directory configured as an identity source. I am using RSA AM 7.4. Is it possible to configure RSA to lock my Active Directory account when the wrong passcode has been entered 3 consecutive times?
I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.
Regards,
Erica
That is not possible.
'Lockout' policy is local to the RSA Authentication Manager server.
However, in version 7 and using LDAPS, it is possible to manually enable/disable into AD.
Certain conditions must exist:
When you create an LDAP identity source in the RSA Operations Console, you can
control how Authentication Manager determines whether a user is enabled for remote
access.
You can set the User Account Enabled State in two ways:
• If you set User Account Enabled State to Directory,
Authentication Manager consults the user’s enabled state in the LDAP directory only.
Use the Directory setting if you want LDAP alone to control whether a user is
enabled in Authentication Manager. Disabling a user account in Authentication
Manager requires disabling the user account in the directory.
If the LDAP identity source is connected with read/write permissions (and using SSL), disabling
the user in the RSA Security Console also disables the user’s LDAP account.
• If you set User Account Enabled State to Directory and Internal Database,
Authentication Manager consults both the LDAP directory and the Authentication
Manager internal database to determine a user’s enabled state.
Use the Internal Database setting if you want to be able to disable the user in
Authentication Manager, but allow the user to remain enabled in the LDAP. In this
case, the user is not permitted to authenticate with Authentication Manager for
remote access, but there is no change in the state of the user’s LDAP account. For
example, the user can still log on to Windows because the Windows Domain
account remains enabled.
If the LDAP identity source is connected with read/write permissions (and using SSL), disabling
the user from the RSA Security Console does not affect the user’s LDAP account.
Whichever setting you choose for User Account Enabled State, the user’s account in
LDAP must be enabled for the user to authenticate with Authentication Manager.
NOTE: This is valid only for version 7.x.
In all versions 8.x and up, Authentication Manager no longer can write enabled/disabled account up to AD, it is all local to the RSA Server. In 8.x, RSA removed the ability to write new changes and settings up to AD, but we did keep the password change ability for a user to go through domain password change process and write the new password up to AD if using LDAP password to access Self-Service console.
NOTE: All versions of Authentication Manager 7.x are no longer supported.
That is not possible.
'Lockout' policy is local to the RSA Authentication Manager server.
However, in version 7 and using LDAPS, it is possible to manually enable/disable into AD.
Certain conditions must exist:
When you create an LDAP identity source in the RSA Operations Console, you can
control how Authentication Manager determines whether a user is enabled for remote
access.
You can set the User Account Enabled State in two ways:
• If you set User Account Enabled State to Directory,
Authentication Manager consults the user’s enabled state in the LDAP directory only.
Use the Directory setting if you want LDAP alone to control whether a user is
enabled in Authentication Manager. Disabling a user account in Authentication
Manager requires disabling the user account in the directory.
If the LDAP identity source is connected with read/write permissions (and using SSL), disabling
the user in the RSA Security Console also disables the user’s LDAP account.
• If you set User Account Enabled State to Directory and Internal Database,
Authentication Manager consults both the LDAP directory and the Authentication
Manager internal database to determine a user’s enabled state.
Use the Internal Database setting if you want to be able to disable the user in
Authentication Manager, but allow the user to remain enabled in the LDAP. In this
case, the user is not permitted to authenticate with Authentication Manager for
remote access, but there is no change in the state of the user’s LDAP account. For
example, the user can still log on to Windows because the Windows Domain
account remains enabled.
If the LDAP identity source is connected with read/write permissions (and using SSL), disabling
the user from the RSA Security Console does not affect the user’s LDAP account.
Whichever setting you choose for User Account Enabled State, the user’s account in
LDAP must be enabled for the user to authenticate with Authentication Manager.
NOTE: This is valid only for version 7.x.
In all versions 8.x and up, Authentication Manager no longer can write enabled/disabled account up to AD, it is all local to the RSA Server. In 8.x, RSA removed the ability to write new changes and settings up to AD, but we did keep the password change ability for a user to go through domain password change process and write the new password up to AD if using LDAP password to access Self-Service console.
NOTE: All versions of Authentication Manager 7.x are no longer supported.
Product Version Life Cycle for RSA SecurID Access