Environment
Advanced Authentication 6.x
Advanced Authenttication - SaaS
Situation
Error returned: "Login failed, please try again."
Error is even returned with LDAP password login.
Logs show non-unique value for user name returned during user look up.
Resolution
Remove any attributes from the "User lookup attributes" list that do not have unique values among users.
In this case the problem was resolved by removing the attributes "Mail" and "OtherMailbox" from the User lookup attributes list, thus returning to the default user lookup attribute settings of "SAMAccountName" and "UserPrincipalName."
"User lookup attributes" are defined on the Advanced Authentication Admin page under "Repository," "Edit" (for desired repository), "Settings," "Advanced Settings."
Note: It may be necessary to perform a force config and a full synchronization after changing lookup attributes.
Cause
Problem user has two accounts in the directory, both with the same email address.
Additional Information
As stated in online documentation for "User Lookup Attributes," Advanced Authentication validates the specified attributes for an entered user name. See https://www.netiq.com/documentation/advanced-authentication-63/server-administrator-guide/data/add_ldap_repo.html#user_lookup_attr
Advanced Authentication will validate all of the specified attributes for each user. If the values for all listed attributes are not unique, Advanced Authentication will not be able to identify the user and login will fail.