Hi All,
I was wonder if anyone could help solve a mystery for me.
I'm testing on an Integrated OIM and OAM environment. I'm using WNA to authenticate a user via the Kerberos Module in OAM. The SamAccountName is match to the uid in an OUD LDAP to complete authentication. Step UIF, UI and UA all use the OUD Identity store.
The mystery is that when the user is locked out in Active Directory they are still able to access a resource protected by the WNA authentication policy i.e. WNA continues to work even after the user has been locked out.
kinit fails once the account is locked, yet when using a browser via OAM the login is successful. The KTA is using the same keytab.
Invalid Credential While Account is unlocked:
[ybsxlx184@oam-dev1/dev1-wna]$kinit -t oamdev1.keytab t22909@YBS.COM
Password for t22909@YBS.COM:
kinit: Preauthentication failed while getting initial credentials
Valid Credential After the Account is locked
kinit: Preauthentication failed while getting initial credentials
[ybsxlx184@oam-dev1/dev1-wna]$kinit -t oamdev1.keytab t22909@YBS.COM
kinit: Clients credentials have been revoked while getting initial credentials
Can anyone provide a reason for this? Let me know what I'm misunderstanding?
Thanks,
Chris