Layer7 Access Management

Tech Tip - CA Single Sign-On: AD service account getting locked out frequently

By wonsa03 posted 07-04-2016 06:24 PM

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 5th July 2016



Active Directory service account (admin account defined with the AD user store setup) is getting locked out frequently.

End users are able to login to protected resources accordingly.



Policy Server: R12.52 SP1

User Directory: Active Directory with LDAP namespace

“Enhance Active Directory Integration” is unchecked



With “Use authenticated user’s security context” checked in the user store setup, Policy Server validates the service account against ADSI when end user is authenticated (despite the authorization status).


During this validation, Policy Server sends encrypted password to ADSI. However, ADSI does not accept encrypted password hence this validation failure increases service account’s badPwdCount. Eventually the account is locked out when max failed attempts threshold is reached.



This defect is addressed with R12.52 SP1 CR4 release. Policy Server now sends clear text password to ADSI for service account validation.