CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 5th July 2016

Issue:

Active Directory service account (admin account defined with the AD user store setup) is getting locked out frequently.

End users are able to login to protected resources accordingly.

Environment:

Policy Server: R12.52 SP1

User Directory: Active Directory with LDAP namespace

“Enhance Active Directory Integration” is unchecked

Cause:

With “Use authenticated user’s security context” checked in the user store setup, Policy Server validates the service account against ADSI when end user is authenticated (despite the authorization status).

During this validation, Policy Server sends encrypted password to ADSI. However, ADSI does not accept encrypted password hence this validation failure increases service account’s badPwdCount. Eventually the account is locked out when max failed attempts threshold is reached.

Resolution:

This defect is addressed with R12.52 SP1 CR4 release. Policy Server now sends clear text password to ADSI for service account validation.