Unable to unlock account through SSPR

  • 7022005
  • 04-Oct-2017
  • 18-Oct-2017

Environment

SSPR 3.x
SSPR 4.x
eDirectory environment
SSPR Configured to save Challenge Responses to NMAS 
SSPR Configured to read Challenge Responses from NMAS 

Situation

When using NMAS / eDIR Challenge responses with SSPR it is not possible to unlock an account that has been locked by eDir intruder detection.  
Problem occurs if challenge responses are stored only in eDIR (i.e. challenge responses are not also stored in SSPR).

Resolution

Force users to setup challenge questions in SSPR.
In SSPR Configuration Manager, click the "enabled" box in Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨  Force Response Setup


Additional Information

This problem occurs because SSPR cannot read the challenge responses from an account locked by NMAS, and is therefore not able to validate the user's identity.  This happens if the challenge responses are stored only in NMAS and the account is locked.  As a security feature, NMAS does not provide the ability to read challenge response answers from a locked account.  

Storing challenge responses in the SSPR attributes as well as in the NMAS attributes allows SSPR a method to validate users identities.  

Feedback service temporarily unavailable. For content questions or problems, please contact Support.