Policy Server Guides › Policy Server Configuration Guide › Password Policies › Password Policy Troubleshooting

Password Policy Troubleshooting

The following sections describe and provide solutions to problems that may occur when implementing password policies.

New User Passwords are Rejected

Symptom:

User-specified passwords are always rejected.

Solution:

The password policy may be too strict or improperly configured. Check the content minimums and the password length composition settings for consistency.

User Accounts are Mistakenly Disabled

Symptom:

Users accounts that have not exceeded the number of permitted failed login attempts are becoming disabled.

Solution:

Check the incorrect password settings. The setting for disabling an account after a specific number of consecutive incorrect password attempts may be too low.

Setting this value too low causes a problem when two or more users, which are located in different user directories, have the same user name. When the Policy Server attempts to authorize a user, it checks all user names that correspond to the login and then attempts to match the password. If the Policy Server finds a user name that the password does not match, it records a failed attempt for that user. If this happens more than the number of times specified by the in the incorrect password settings, the account is disabled.

User Accounts are Prematurely Disabled

Symptom:

User accounts are prematurely disabled in a multi-Policy Server environment.

Solution

Check that there is no time differential between the Policy servers.

Password Changes are Forced

Symptom:

User accounts are forced to changed passwords too soon in a multi-Policy Server environment.

Solution:

Check that there is no time differential between the Policy servers.

LDAP Users Do Not Disable

Symptom:

Password policies do not disable LDAP users.

Solution:

Check the following:

• The LDAP directory to which the policy is bound is writable. You must be able to save passwords in each user’s record in the LDAP directory.
• The user directory setting is valid for password attribute, password data, and disable flag user profile attributes. More information on configuring the password attribute, password data, and disabled flag user profile attributes exists in Directory Attributes Overview.

Active Directory Users Cannot Change Passwords

Symptom:

Users stored in Active Directory user directories cannot change their passwords.

Solution:

Check the following:

• The Active Directory user directory to which the policy is bound is configured with a secure (SSL) connection.
• The Active Directory user directory to which the policy is bound is configured to use the unicodePWD Password Attribute.

Incorrect Password Message Does Not Appear

Symptom:

When a user submits a password change request that contains an invalid current password, the Password Change Information screen does not open with a message stating that the current password is incorrect. Rather, the Policy Server redirects the user to:

• The login screen without the message if an On-Auth-Reject-Redirect response is not bound to the policy configured with the user directory
• The URL associated with the On-Auth-Reject-Redirect response bound to the policy configured with the user directory

Solution:

Enable the DisallowForceLogin registry key, which is located at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer.

DisallowForceLogin

Redirects users to the Password Change Information screen to re-enter the current password when the change request contains an invalid current password.

KeyType: REG_DWORD

Value: 0 (disabled) or 1 (enabled)

Default: 0 (disabled)

Note: If the registry key is enabled, values other than 0 or 1 are unsupported and have undefined behavior.