Unable to unlock account through SSPR

  • 7022005
  • 04-Oct-2017
  • 18-Oct-2017


SSPR 3.x
SSPR 4.x
eDirectory environment
SSPR Configured to save Challenge Responses to NMAS 
SSPR Configured to read Challenge Responses from NMAS 


When using NMAS / eDIR Challenge responses with SSPR it is not possible to unlock an account that has been locked by eDir intruder detection.  
Problem occurs if challenge responses are stored only in eDIR (i.e. challenge responses are not also stored in SSPR).


Force users to setup challenge questions in SSPR.
In SSPR Configuration Manager, click the "enabled" box in Modules ⇨ Authenticated ⇨ Setup Security Questions ⇨  Force Response Setup

Additional Information

This problem occurs because SSPR cannot read the challenge responses from an account locked by NMAS, and is therefore not able to validate the user's identity.  This happens if the challenge responses are stored only in NMAS and the account is locked.  As a security feature, NMAS does not provide the ability to read challenge response answers from a locked account.  

Storing challenge responses in the SSPR attributes as well as in the NMAS attributes allows SSPR a method to validate users identities.