Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-4762

Crowd should check user enabled status before trying to authenticate against an external directory, and optionally authenticate against lower priority directories

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Consider the following scenario:

      Tom Fubar has two accounts on different Active Directories. tom.fubar@DOM1 and tom.fubar@DOM2

      An internal application using Crowd for its authentication is set to use these directories, with DOM1 above DOM2 in the priority list.

      If Tom's account is disabled on DOM1, but not DOM2, and Tom tries to log in to the application with his DOM2 credentials, Crowd will record an authentication failure against DOM1 and immediately fail the attempt, not even trying DOM2. Furthermore, the disabled user state is not checked before trying to validate the password, causing the BadPasswordCount to be incremented.

      Ideally, Crowd could be configured to see that the account is disabled, not bother trying to auth against it, and try the next directory in the list.

      A workaround for this is to configure the Crowd user filter for DOM1 to hide accounts that are disabled; this can be accomplished by including:

       (!(userAccountControl:1.2.840.113556.1.4.803:=2)) 

      ..somewhere in the user filter in Crowd, but this may not be appropriate for all use cases.

              Unassigned Unassigned
              70b2249fb6d6 Dish OTT
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: