I have configured RSA with my local Active Directory configured as an identity source. I am using RSA AM 7.4. Is it possible to configure RSA to lock my Active Directory account when the wrong passcode has been entered 3 consecutive times?
That is not possible.
'Lockout' policy is local to the RSA Authentication Manager server.
However, in version 7 and using LDAPS, it is possible to manually enable/disable into AD.
Certain conditions must exist:
When you create an LDAP identity source in the RSA Operations Console, you cancontrol how Authentication Manager determines whether a user is enabled for remoteaccess.
You can set the User Account Enabled State in two ways:
• If you set User Account Enabled State to Directory,
Authentication Manager consults the user’s enabled state in the LDAP directory only.
Use the Directory setting if you want LDAP alone to control whether a user isenabled in Authentication Manager. Disabling a user account in AuthenticationManager requires disabling the user account in the directory.
If the LDAP identity source is connected with read/write permissions (and using SSL), disablingthe user in the RSA Security Console also disables the user’s LDAP account.
• If you set User Account Enabled State to Directory and Internal Database,Authentication Manager consults both the LDAP directory and the AuthenticationManager internal database to determine a user’s enabled state.
Use the Internal Database setting if you want to be able to disable the user inAuthentication Manager, but allow the user to remain enabled in the LDAP. In thiscase, the user is not permitted to authenticate with Authentication Manager forremote access, but there is no change in the state of the user’s LDAP account. Forexample, the user can still log on to Windows because the Windows Domainaccount remains enabled.
If the LDAP identity source is connected with read/write permissions (and using SSL), disablingthe user from the RSA Security Console does not affect the user’s LDAP account.
Whichever setting you choose for User Account Enabled State, the user’s account inLDAP must be enabled for the user to authenticate with Authentication Manager.
NOTE: This is valid only for version 7.x.
In all versions 8.x and up, Authentication Manager no longer can write enabled/disabled account up to AD, it is all local to the RSA Server. In 8.x, RSA removed the ability to write new changes and settings up to AD, but we did keep the password change ability for a user to go through domain password change process and write the new password up to AD if using LDAP password to access Self-Service console.
NOTE: All versions of Authentication Manager 7.x are no longer supported.
Product Version Life Cycle for RSA SecurID Access
I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.
Retrieving data ...