Environment
SSPR 3.x
SSPR 4.x
eDirectory environment
SSPR Configured to save Challenge Responses to NMAS
SSPR Configured to read Challenge Responses from NMAS
Situation
When using NMAS / eDIR Challenge responses with SSPR it is not possible to unlock an account that has been locked by eDir intruder detection.
Problem occurs if challenge responses are stored only in eDIR (i.e. challenge responses are not also stored in SSPR).
Resolution
Force users to setup challenge questions in SSPR.
In SSPR Configuration Manager, click the "enabled" box in Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨ Force Response Setup
Additional Information
This problem occurs because SSPR cannot read the challenge responses from an account locked by NMAS, and is therefore not able to validate the user's identity. This happens if the challenge responses are stored only in NMAS and the account is locked. As a security feature, NMAS does not provide the ability to read challenge response answers from a locked account.
Storing challenge responses in the SSPR attributes as well as in the NMAS attributes allows SSPR a method to validate users identities.