Release Notes › Policy Server Release Notes › Defects Fixed in SiteMinder Releases › Defects Fixed in r12.0 SP3 › User Accounts Incorrectly Disabled (96283)

User Accounts Incorrectly Disabled (96283)

Valid for password policies configured with Active Directory.

Symptom:

When a password policy was configured with an Active Directory user store that was part of a cluster, unexpected behavior occurred when a user exceeded the maximum number of failed login attempts. SiteMinder disabled the user account instead of locking it.

Solution:

In a clustered Active Directory environment, each member of the cluster has its own failed login count. Until one of the cluster nodes hits the limit, the user is not locked out. For example, if an Active Directory cluster contains three members and each member has a lockout threshold of three failed login attempts, between three through seven failed login attempts can be allowed.

To configure SiteMinder to track failed logins correctly and lock user accounts when user stores are part of an Active Directory cluster

1. Log into the Policy Server host system.
2. Do one of the following:
   • (Windows) Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\PolicyServer.
   • (UNIX) Open the sm.registry file. The default location of this file is siteminder_home/registry.

     siteminder_home

     Specifies the Policy Server installation path.

3. Create the ADLockoutMode registry key with a registry value type of DWORD.

   Value: 1 or 0

   1

   Enables the registry key.

   0

   Disables the registry key.

   If the registry value is zero (0) or does not exist, the default existing behavior is executed.

4. Do one of the following:
   • (Windows) Exit the Registry Editor.
   • (UNIX) Save the sm.registry file.
5. Restart the Policy Server.

STAR Issue: 18593389