In our project we use a custom authentication scheme (custom java code). We also have a password policy to make user login inactive for 30 minutes after the user provides 3 incorrect passwords.
The custom authentication scheme talks to a web service which manages security questions and answers.
The issue we face is as follows.
User enters 3 incorrect passwords, account gets locked and the user is directed correctly to the smpwservices.fcc page.
The account gets enabled back after 30 mins. (Which is again the right thing to happen)
During the lockout period, if the user tries to login with the correct user name and password, then the custom auth module gets invoked and the user is prompted for a security question. (Which should not happen)
Even if the user enters the correct answer(so the custom module send an Accept response), siteminder redirects user to smpwservices page which shows the message that account is locked due to excessive login attempts.
The problem is that the user should not asked security question if the account is locked due to exceeded login attempts.
How do we correct this.