Kelly Wong

Tech Tip - CA Single Sign-On: AD user continue to get login prompt despite reaching max login attempts

Blog Post created by Kelly Wong Employee on Apr 15, 2016

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 15th April 2016



SM password policy is created against Active Directory user store with LDAP namespace, to disable user after 3 successive incorrect password login.

User is continuously getting prompt after 3 successive failed login. With Enhanced AD Integration disabled, user is redirected to the SM password policy page accordingly.



accountExpires and badPwdCount are the additional AD native attributes that Policy Server validates, when Enhanced AD Integration enabled. Hence, if user account is expired or bad password count has reached its limit on AD end, password policy will be triggered on next login and user will be redirected to the SM password policy page.

With Enhanced AD integration disabled, PS will rely on userAccountControl and SM Disabled Flag attributes to determine user status.

Additionally, if user directory has a native password policy, this policy must be less restrictive than the SM password policy or disabled.

Customer has both SM and AD native password policy set to disable user after 3 successive failed login causing conflict between both password policies.



Update the AD native password policy to be less restrictive – disable user after 4 successive failed login.


Update SM password policy to be more restrictive – disable user after 2 successive failed login.


Disable AD native password policy.