For some users , we are facing this interesting issue. Sometimes (not always, but few times in a day) user is unable to access the application and being shown the error as "User has been either locked out for successive incorrect password or it has been disabled". However when we check the Account in AD, it seems fine.Â
When we checked the smaccess.log for corresponding time period, we can see below error message, where user is perhaps being locked out and we are getting Authentication rejected, but AD account seems to be fine.Â
[Auth][AuthReject][xyz.hiw.com][04/Feb/2019:07:27:37 -0500][dssoagent][gwRdYCJt35u4zdPZeyeUtvsgLNg=][john@APAC.corp.local][03-000b53ff-6569-1514-88a3-2d250aa220dd][Protect SSORedirect][06-00004b1c-656d-1514-88a3-2d250aa220dd][22.214.171.124][/ssoredirect/pwdexpirychk.asp][GET][Account disabled. 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580][SSORedirectDomain]Â
Please suggest what all possibilities can exist here to lookout?
There are 2 Account Status.
1. SiteMinder Account Status
2. AD Account Status
SiteMinder is saying AuthReject based on the SiteMinder Account Status which is based on SiteMinder Password Policy.
On the other hand, AD may say the account is fine and can logon to RDP or desktop.
You can check if "Enhanced AD Integration" option is enabled in the Global Settings.
Another thing that might be possible is that your AD account in question might have "Password do not expire" flag set.