Symantec Access Management

Tech Tip - CA Single Sign-On: AD user continue to get login prompt despite reaching max login attempts

By wonsa03 posted 04-14-2016 08:31 PM


CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 15th April 2016



SM password policy is created against Active Directory user store with LDAP namespace, to disable user after 3 successive incorrect password login.

User is continuously getting prompt after 3 successive failed login. With Enhanced AD Integration disabled, user is redirected to the SM password policy page accordingly.



accountExpires and badPwdCount are the additional AD native attributes that Policy Server validates, when Enhanced AD Integration enabled. Hence, if user account is expired or bad password count has reached its limit on AD end, password policy will be triggered on next login and user will be redirected to the SM password policy page.

With Enhanced AD integration disabled, PS will rely on userAccountControl and SM Disabled Flag attributes to determine user status.

Additionally, if user directory has a native password policy, this policy must be less restrictive than the SM password policy or disabled.

Customer has both SM and AD native password policy set to disable user after 3 successive failed login causing conflict between both password policies.



Update the AD native password policy to be less restrictive – disable user after 4 successive failed login.


Update SM password policy to be more restrictive – disable user after 2 successive failed login.


Disable AD native password policy.

1 comment
1 view


04-14-2016 09:01 PM

If SM Password policy is configured to disable user after 3 failed login attempt. The failed login count is stored in the password blob.

There is no way user will be prompted for login even after 3 failed login attempt.

Is there something I am missing ?