Login fails for user with non-unique search attributes

  • 7025250
  • 16-Aug-2021
  • 16-Aug-2021


Advanced Authentication 6.x
Advanced Authenttication - SaaS


Error returned:  "Login failed, please try again."
Error is even returned with LDAP password login.
Logs show non-unique value for user name returned during user look up.


Remove any attributes from the "User lookup attributes" list that do not have unique values among users.

In this case the problem was resolved by removing the attributes "Mail" and "OtherMailbox" from the User lookup attributes list, thus returning to the default user lookup attribute settings of "SAMAccountName" and "UserPrincipalName." 

"User lookup attributes" are defined on the Advanced Authentication Admin page under "Repository," "Edit" (for desired repository), "Settings," "Advanced Settings." 

Note:  It may be necessary to perform a force config and a full synchronization after changing lookup attributes.


Problem user has two accounts in the directory, both with the same email address.

Additional Information

As stated in online documentation for "User Lookup Attributes,"  Advanced Authentication validates the specified attributes for an entered user name.  See https://www.netiq.com/documentation/advanced-authentication-63/server-administrator-guide/data/add_ldap_repo.html#user_lookup_attr

Advanced Authentication will validate all of the specified attributes for each user.  If the values for all listed attributes are not  unique, Advanced Authentication will not be able to identify the user and login will fail.