Layer7 Access Management

Expand all | Collapse all

Account does not get locked when smapsFailureCount >5

Jump to Best Answer
  • 1.  Account does not get locked when smapsFailureCount >5

    Posted 09-25-2017 05:19 PM
      |   view attached

    Single Sign On (Siteminder) Server - 12.52 SP1

     

    We have setup two password policies so that user can choose anything from username or email to login with. On both the password policies, the value of 'Account disabled after successive incorrect password' is set to 5. So the user account should lock out when smapsFailureCount value becomes 5.

     

    When both username and email are same and password is incorrect, the smapsFailureCount value increases twice because it queried the user directory twice for two password policies. So for the 3rd such attempt, the smapsFailureCount value becomes 6.

     

    However, for the above users, the account is not getting locked on 3rd attempt, but the siteminder allows the smapsFailureCount value to grow and locks the user on his 5th incorrect attempt.

    Attachment(s)

    zip
    APS.cfg.zip   39K 1 version


  • 2.  Re: Account does not get locked when smapsFailureCount >5

    Posted 09-25-2017 05:21 PM

    Can you share APS.cfg?



  • 3.  Re: Account does not get locked when smapsFailureCount >5

    Posted 09-25-2017 05:35 PM

    APS is attached



  • 4.  Re: Account does not get locked when smapsFailureCount >5
    Best Answer

    Posted 09-25-2017 10:32 PM

    Hi Sanjay,

     

    I think there is fundamental misunderstanding here.

     

    CA SSO supports two kinds of password policies :

    1. Basic password policy - this is configured from Admin UI 

     

     

    2. Advanced Password policy - this is configured using APS.cfg 

     

    These two are mutually exclusive configuration and only one can be enabled at anytime otherwise it may lead to inconsistencies. 

     

    Unless you have any specific need which BPS can't fulfill I would advise to stick to BPS as it provided more flexibility.

    If you decide to go with BPS then you will need to disable APS which you can do so by following this guide :

    How to disable APS ? 

     

    For APS, the maximum failure count (max login attempt with invalid password) can be configured in APS.cfg as:

     

    #######################################################################
    ## "n" strikes processing
    #######################################################################
    ##FAILURE COUNT##
    ///////////////////////////////////////////////////////////////////////
    // The maximum consecutive password failures ("n" strikes and you're
    // out). This value can be zero, or 3-9 inclusive. The recommended
    // setting is 5. This setting is *separate* from the SMRETRY setting
    // supported on SiteMinder authentication forms. Please see the APS
    // documentation for details.
    //
    // This affects failures both on login and change password (change
    // password only if Max Failures On Change is not set).
    //
    // This setting supports overrides.
    ///////////////////////////////////////////////////////////////////////
    ;;Max Failures=3
    ///////////////////////////////////////////////////////////////////////
    // The maximum consecutive password failures ("n" strikes and you're
    // out) to be used FOR PASSWORD CHANGES ONLY. This value can be zero,
    // or 3-9 inclusive. The recommended setting is 5. If not set or zero,
    // the setting for Max Failures (above) will be used.
    //
    // This setting supports overrides.
    ///////////////////////////////////////////////////////////////////////
    ;;Max Failures On Change=5

     

    BPS doesn't use any of those smapsXXX attribute in user store instead it uses the user attributes as defined in the user directory configuration , particularly following so ensure that they are mapped to a valid attribute from user store:

    • Disabled Flag
    • Password Data ( This needs to be binary attribute )

     

     

    Let me know if any question.

     

    Regards,

    Ujwol



  • 5.  Re: Account does not get locked when smapsFailureCount >5

    Posted 09-26-2017 10:33 AM

    Thanks Ujwol for your reply. It made lot of sense.

     

    I have two questions based on your reply.

    1. How does BPS keep track of successive invalid attempts? Does it store it in any user directory variables?

    2. We want to show the user his nth invalid attempt. ie. nth of 5 where 5 is the max they can try. Is there a way to achieve that?



  • 6.  Re: Account does not get locked when smapsFailureCount >5

    Posted 09-26-2017 12:04 PM

    Hi 

     

    1. How does BPS keep track of successive invalid attempts? Does it store it in any user directory variables?

    It is stored in the Password Data user attribute that is mentioned as per the above screen shot. (Eg: audio)

     

    2.We want to show the user his nth invalid attempt. ie. nth of 5 where 5 is the max they can try. Is there a way to achieve that?

     

    You can set SMTRNO cookie and calculate the remaining attempts. This SMTRYNO cookie will be set to 1 for the first failed attempt and then increased by 1 till you reach the configured @smretries in login.fcc file. You need to set the @smretries to max allowed attempt+1 value.

     

    Refer :

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/configure-html-forms-authentication

     

    Regards,

    Leo Joseph



  • 7.  Re: Account does not get locked when smapsFailureCount >5

    Posted 10-16-2017 08:29 PM

    Just to add, smtryno just keep a track of invalid login attempt for that particular browser session. It doesn't really indicate the number of invalid login attempted in say in other browser session for the same user.

     

    So, for e.g 

    User opens a new browser , try invalid login attempt 3 times.

    Close the browser.

    Opens a new browser again , and try invalid login attempt once .. 

    smtryno cookie in this case just shows a value of 1 (failed login attempt for current session) and wont' show the total failed login attempt for that user as that information is stored in the server side in the user directory password blob attribute.

     

    If you need to find the actual total number of failed login attempt for the user you will need to use API.

    Tech Tip - CA Single Sign-On:Policy Server: Read Password Blob Utility 

    sample output :

    Obtaining Password State:

    LoginFailures: 0

    LastLoginTime: February 24 2016 17:57:25

    PrevLoginTime: January 10 2016 17:58:25

    DisabledTime: January 01 1970 10:00:00

    LastPWChangeTime: February 24 2016 17:57:05

    C:\Users\Administrator\Desktop\RPB>