Functional Account is getting locked repeatedly after password is reset (4226921)

Functional Account is getting locked repeatedly after password is reset

After changing the password for our AD Functional Account, it keeps locking out and preventing password changes from completing successfully.

This is an Active Directory replication issue. In large environments that have a large number of domain controllers and/or are geographically dispersed, it can take time for an accounts password to replicate around the whole environment.

In the interim, if TPAM attempts to use the new password to authenticate to a domain controllers that has not yet been updated, it will reject the authentication attempt due to invalid credentials. If there are many password changes queued in the Automation Engine, then TPAM will be attempting to authenticate multiple times, which could lead to the account becoming locked after X number of failed login attempts (depending on the policy settings).

Unfortunately, since the issue is AD related, there is little that can be done from TPAM to alleviate the issue. Replication will need to be completed to all domain controllers before the problem disappears.

SOLUTION

To avoid this issue, it is recommended that you set a static password for the Functional Account that never changes. If this is not feasible, due to your security policies, then an alternate suggestion is to set the account so that it cannot be locked out.

WORKAROUND

If the above solutions are not acceptable, then the suggested workaround is to stop the TPAM Automation Engine for a period of time (ie. 1 hour) immediately after the new functional account credentials have been set. Doing so will prevent TPAM from performing queued password changes that lead to failed authentications and account lockouts. After the environment is settled, you can restart the Automation Engine and continue with password changes as normal.

Note: In the event that an emergency password change is required while the Automation Engine is stopped, you can force a reset by navigating to the Account Management page for the Account in question and clicking the blue "Reset Password" button. If this is a domain account, the network address of the DC Managed System should point to a DC that has already replicated and will accept the new credentials.