Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Admin DISABLED STATE // Password Policy

  • 1.  Tech Tip : CA Single Sign-On : Admin DISABLED STATE // Password Policy

    Broadcom Employee
    Posted May 15, 2019 03:54 AM



    We're running a Policy Server and we'd like to know which uses cases
    bring the user to be administratively disabled after login.

    Sm_Api_Disabled_AdminDisabled= 0x00000001 = 1




    At first glance, the AdminDisabled is set when an operator disabled
    manually the user in the AdminUI :


    Policy Server :: Disable Flag : SmAuthReason

    The Sm_Api_Disabled_AdminDisabled bit is usually set by using the
    Admin UI's disable user button; the Policy Server does not set or
    clear it during normal operations.



    But this value can be added to another value for specific reason.


    To illustrate :


    User with DisableFlag = 0. User can login.
    User with DisableFlag = 1. User cannot login because the administrator disabled it manually from the AdminUI.
    User with DisableFlag = 3. User tried x times to login with incorrect credentials, and it has been disabled.


    Looking at the screenshots, you've configured the user to be disabled
    if it tries 5 times to login without the expected credentials.


    You see disable state with value of 3 because the


    Sm_Api_Disabled_AdminDisabled = 0x00000001 = 1 + Sm_Api_Disabled_MaxLoginFail = 0x00000002 = 2


    KB : KB000132212