Symantec Access Management

 View Only

About Disabled Flag and userAccountControl

  • 1.  About Disabled Flag and userAccountControl

    Posted Aug 18, 2020 06:42 AM

    Hi To all! 

    When I installed SSO / SITEMINDER I installed it along with CA Identity Manager.
    I had an Active Directory extension (which was the user store for both SSO and IM) with a new attribute IM-DisabledState
    I used this attribute both for IAM (%DISABLE% attribute) and SSO ("Disabled Flag (RW)" attribute)

    So everything has worked.
    Of course I have two levels of "disabled" state:

    * One on the Active Directory side (eg when a user fails to authenticate N times on an active directory pc)
    * And one on SSO sside (eg when a user fails M times the password on SSO)

    I currently have M < N, enhanced AD Integration enabled and password services enabled.
    If a user is locked out on the Active Directory side they don't even log into SSO and this is what I want.
    The change password flag also works well for me.


    In the meantime, two things have happened

    1) I decommissioned IAM (however it still exists but no longer uses Active Directory as a User Store)
    2) I have installed Advanced Authentication. I've mapped userAccountControl for user status.



    What is the best practice now?

    -> Change the siteminder configuration and use userAccountControl for SSO too "Disabled Flag (RW)" ?
    -> Use IM-DisabledState for Advanced Authetication too
    -> Leave everything as it is

    Thanks in advance
    Marco