Symantec IGA

 View Only
  • 1.  Reading disabled status from active directory

    Posted Nov 21, 2019 09:33 AM
    Edited by Andy Thompson Nov 21, 2019 09:34 AM
    We are trying to implement the functionality of allowing administrators to re-enable users that have become disabled due to too many failed login attempts.  Currently Active Directory is controlling the failed login count and locked status.  Because of this, the values for disabled state on the Identity Manager side are only showing 0 or 1 for enabled or disabled.  When Active Directory locks the account due to failed login attempts, that is shown as a disabled state of 1 in Identity Manager which is "disabled by an administrator".  So technically that is not the correct value according to this doc.  But I assume it is because Active Directory did the locking and not Identity Manager:
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=76864

    We need a way to distinguish between a "lock" and a "disable" in Identity Manager so we know whether to allow an administrator to unlock the account or whether to prevent them from re-enabling a disabled account.  Any ideas? 

    I see the Account Options attribute on the endpoint is what holds the "Account is Disabled" value, but not sure how to pull that into Identity Manager.


  • 2.  RE: Reading disabled status from active directory

    Broadcom Employee
    Posted Nov 21, 2019 11:24 AM
    On the AD system you would need to get the value stored in userAccountControl. You could look at configuring an Endpoint Attribute Mapping to map the AD account attribute to a Provisioning user's custom field. During an Explore/Correlate/Update the value would be retrieved from the AD Account and the associated provisioning user's custom field would be updated and a Modify_Global_User inbound notification sent to the IM Server to update the IME mapped user attribute as part of a Provisioning Modify User task. You would then need to have some PX Policy or custom business logic (i.e. event listener) triggered as part of that task to take appropriate actions to update the IM user object as needed.


  • 3.  RE: Reading disabled status from active directory

    Posted Nov 21, 2019 02:30 PM
    Thanks Kenny.  We started looking at that and had a question.  If AD is locking the account due to failed login attempts and the Portal is even reporting that the account is locked when you try to login, shouldn't the disabled state in IDM reflect that properly and not be a generic "1" for disabled?  Or are all locks and disables passed from Active Directory expected to be generic disabled status in IDM?


  • 4.  RE: Reading disabled status from active directory

    Broadcom Employee
    Posted Nov 21, 2019 02:37 PM
    I am not sure what is being used as an authentication directory in your implementation. Perhaps your IP/IM is using an AD Auth Module or integrated with SSO which could be authenticating against AD instead of the IM User store itself in which case that may explain your authentication results regardless of what is in the IM user store since if AD was only a managed endpoint via Provisioning/Connector Server then its current password and account status would have no bearing whatsoever on the IP/IM login.


  • 5.  RE: Reading disabled status from active directory

    Posted Nov 21, 2019 03:10 PM
    We are not using SSO and "technically" IDM should be the authoritative source although in this case we are allowing Active Directory to control the failed password attempts and lock out.  But all password updates are handled through IDM and pushed to AD so I guess AD is just a managed Endpoint?? 

    So with this setup, is there not a way to get the disabled state in IDM to reflect the values for MAXLOGINFAIL as shown below:

    ENABLED_VALUE 0 (enabled)
    MASK_ADMINDISABLED 1 (disabled by an administrator)
    MASK_MAXLOGINFAIL 2 (disabled because they reached max login attempts)
    MASK_INACTIVITY 4 (disabled due to inactivity)
    MASK_PWEXPIRED 8 (disabled due to password expired)
    MASK_PWMUSTCHANGE 16777216 (account is NOT disabled but password will be forced to change on next login)


  • 6.  RE: Reading disabled status from active directory

    Broadcom Employee
    Posted Nov 21, 2019 03:14 PM
    I already replied to that question:

    On the AD system you would need to get the value stored in userAccountControl. You could look at configuring an Endpoint Attribute Mapping to map the AD account attribute to a Provisioning user's custom field. During an Explore/Correlate/Update the value would be retrieved from the AD Account and the associated provisioning user's custom field would be updated and a Modify_Global_User inbound notification sent to the IM Server to update the IME mapped user attribute as part of a Provisioning Modify User task. You would then need to have some PX Policy or custom business logic (i.e. event listener) triggered as part of that task to take appropriate actions to update the IM user object as needed.


  • 7.  RE: Reading disabled status from active directory

    Posted Nov 21, 2019 03:21 PM
    Sorry...let me clarify my question...

    Is it expected behavior given our setup that the disabled state in IDM would not reflect a locked status?  In other words, is it a requirement that the IDM password policy control the max login attempts in order for the disabled state to be reflected properly?

    It was suggested to me that I open this as a defect and I'm trying to understand if it is or not and if not, why it isn't.


  • 8.  RE: Reading disabled status from active directory
    Best Answer

    Broadcom Employee
    Posted Nov 21, 2019 03:39 PM
    The only notification sent from the domain controller back to IMPS would be password changes with the PSYNC Agent.  Toggling of the useraccountcontrol at the AD domain controller would not itself result in any notification back to IM/IMPS of that happening.

    So as I mentioned the only way IMPS would know of the current AD domain controller useraccountcontrol would be via Endpoint Attribute Mapping during an Explore/Correlate/Update but that is not a real time input into IMPS and IM layers and even then that would not achieve what I think you are wanting unless you were to implement some custom business logic via PX Policies and/or custom event listeners.

    Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio





  • 9.  RE: Reading disabled status from active directory

    Posted Nov 21, 2019 05:32 PM
    Hi Kenny,

    Im working with Andy and I want to clarify some things. 1) we are using the AD authentication module for IM/IP authentication 2) The issue we see is that if a user who is locked in AD, after 5 failed login attempts, attempts to log onto CA IP a 6th time, the user account in IM gets disabled (enabled state set to "1"). We don't know what exactly is doing this since we do not have explore and corelate scheduled for AD. My guess is the AD auth module is setting it.

    Our concern is that it sets enabled state to 1 (admin disabled) and not 2 (max failed logins). We currently have a disabled process that also marks the user as enable state 1 when a user is terminated. This collides with our termination functionality because we cannot tell if someone was admin disabled or locked in CA. Currently our solution is to add a new status field and manage status ourselves but we would like to know if the AD auth module is not working as expected before going through this trouble.

    We also tried enabling failed logins in the CA password policy but it does not seem to work with the AD auth module.

    Sorry for any confusion and thanks for all the quick responses!

    Nick