Intruder Detection does not work on the Challenge Response page

  • 3701981
  • 31-Jul-2007
  • 26-Apr-2012


Novell User Application 3.5
Novell User Application 3.0.1
Novell User Application 3.0
Novell Identity Manager 3.5
Novell Identity Manager 3.0.1
Novell Identity Manager 3.0
Novell iManager 2.6
Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms


With Intruder Detection enabled, if a users fails to login to the User Application x amount of times (where x is the max value set in Intruder Detection) then they receive an error message on the Login stating:
Error: "Account restrictions prevent you from logging in. See your administrator for
more details."

With Intruder Detection enabled, if a user goes to the ForgotPassword area, submits their User ID, and then fails to answer their Challenge Set Questions correctly x amount of times (where x is the max value set in Intruder Detection), they do not receive an message on this page that their account is locked. The user can continue to enter answers to their Challenge Response Questions, even correct ones and never be able to go any further.

At that time, if the Administration looks at the user in question in iManager they will see that the user's account has been locked. Once this has occurred, if the user in question opens a new browser and tries to access the ForgotPassword area they will receive the following error after entering their User ID:
Error: "Challenge Response failed."


This behavior is a bug with versions 3.0, 3.0.1, and 3.5 of the Novell User Application. Once the account has been locked by Intruder Detection the user is not stopped from being able to try and answer Challenge Set questions in the browser session. To be addressed in a future release of the Novell User Application.

This issue has been fixed in Novell User Application 3.5.1 patch B.