Previous Topic: User-initiated Password ChangesNext Topic: Enhanced Session Assurance with DeviceDNA™


Password Policy Troubleshooting

The following sections describe and provide solutions to problems that may occur when implementing password policies.

New User Passwords are Rejected

Symptom:

User-specified passwords are always rejected.

Solution:

The password policy may be too strict or improperly configured. Check the content minimums and the password length composition settings for consistency.

User Accounts are Mistakenly Disabled

Symptom:

Users accounts that have not exceeded the number of permitted failed login attempts are becoming disabled.

Solution:

Check the incorrect password settings. The setting for disabling an account after a specific number of consecutive incorrect password attempts may be too low.

Setting this value too low causes a problem when two or more users, which are located in different user directories, have the same user name. When the Policy Server attempts to authorize a user, it checks all user names that correspond to the login and then attempts to match the password. If the Policy Server finds a user name that the password does not match, it records a failed attempt for that user. If this happens more than the number of times specified by the in the incorrect password settings, the account is disabled.

User Accounts are Prematurely Disabled

Symptom:

User accounts are prematurely disabled in a multi-Policy Server environment.

Solution

Check that there is no time differential between the Policy servers.

Password Changes are Forced

Symptom:

User accounts are forced to changed passwords too soon in a multi-Policy Server environment.

Solution:

Check that there is no time differential between the Policy servers.

LDAP Users Do Not Disable

Symptom:

Password policies do not disable LDAP users.

Solution:

Check the following:

Active Directory Users Cannot Change Passwords

Symptom:

Users stored in Active Directory user directories cannot change their passwords.

Solution:

Check the following:

Incorrect Password Message Does Not Appear

Symptom:

When a user submits a password change request that contains an invalid current password, the Password Change Information screen does not open with a message stating that the current password is incorrect. Rather, the Policy Server redirects the user to:

Solution:

Enable the DisallowForceLogin registry key, which is located at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer.

DisallowForceLogin

Redirects users to the Password Change Information screen to re-enter the current password when the change request contains an invalid current password.

KeyType: REG_DWORD

Value: 0 (disabled) or 1 (enabled)

Default: 0 (disabled)

Note: If the registry key is enabled, values other than 0 or 1 are unsupported and have undefined behavior.