The following sections describe and provide solutions to problems that may occur when implementing password policies.
Symptom:
User-specified passwords are always rejected.
Solution:
The password policy may be too strict or improperly configured. Check the content minimums and the password length composition settings for consistency.
Symptom:
Users accounts that have not exceeded the number of permitted failed login attempts are becoming disabled.
Solution:
Check the incorrect password settings. The setting for disabling an account after a specific number of consecutive incorrect password attempts may be too low.
Setting this value too low causes a problem when two or more users, which are located in different user directories, have the same user name. When the Policy Server attempts to authorize a user, it checks all user names that correspond to the login and then attempts to match the password. If the Policy Server finds a user name that the password does not match, it records a failed attempt for that user. If this happens more than the number of times specified by the in the incorrect password settings, the account is disabled.
Symptom:
User accounts are prematurely disabled in a multi-Policy Server environment.
Solution
Check that there is no time differential between the Policy servers.
Symptom:
User accounts are forced to changed passwords too soon in a multi-Policy Server environment.
Solution:
Check that there is no time differential between the Policy servers.
Symptom:
Password policies do not disable LDAP users.
Solution:
Check the following:
Symptom:
Users stored in Active Directory user directories cannot change their passwords.
Solution:
Check the following:
Symptom:
When a user submits a password change request that contains an invalid current password, the Password Change Information screen does not open with a message stating that the current password is incorrect. Rather, the Policy Server redirects the user to:
Solution:
Enable the DisallowForceLogin registry key, which is located at HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer.
Redirects users to the Password Change Information screen to re-enter the current password when the change request contains an invalid current password.
KeyType: REG_DWORD
Value: 0 (disabled) or 1 (enabled)
Default: 0 (disabled)
Note: If the registry key is enabled, values other than 0 or 1 are unsupported and have undefined behavior.
Copyright © 2012 CA.
All rights reserved.
|
|