Technical Note 1649
Last Reviewed 15-Oct-2013
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection Security Gateway 2014
If you configure Reflection management server to use an account to access the LDAP server, and then you change the password on that account without updating the Reflection configuration, then Reflection will continue to use the old password. This can cause the account to be locked out, and can also cause Reflection for the Web or Reflection Security Gateway (hereinafter referred to as Reflection) authentication failures. This technical note describes how to prevent this problem from occurring, and how to resolve it if it does.
As an example, if Reflection management server is configured to use a userís network account to access an LDAP server, and that user changes his or her password, then Reflection will continue to use the old password to access the LDAP server, and two problems can occur:
- The user may be locked out of the account. This happens because many network servers have automated policies that cause an account to be locked out if an incorrect password is used more than a certain number of times within a given time period. If Reflection repeatedly uses the old password to attempt to reach the LDAP server, then the network server may respond by locking the account, rendering it temporarily unusable. The user who normally uses the account to log into the network will be unable to log in.
- Users may not be able to access terminal sessions using Reflection. Instead, they may see one of the following error messages:
The Reflection server could not connect to your site's authentication server. Please contact your system administrator.
Due to technical error, the management server could not authenticate you. Please contact your system administrator.
If your network account gets locked, the network administrator can unlock it. On some types of networks (for example, networks run on Windows 2008 and Windows 2003 servers), you can still log into your machine locally even if you can't log into the domain because your account is locked. You can then log into the Reflection Administrative WebStation using the Reflection administrator password. The administrator password will work even if the LDAP server cannot be reached. Once you have opened the Administrative WebStation, you can change the password used to access the LDAP server. Open the Access Control Setup utility under Tools. Select Configure, and then click Next twice to open the LDAP configuration screen. In the LDAP Server section, enter the new password.
Be sure to change the password used to access the LDAP server as soon as possible after changing your account password on the network. It is best to do this when the Reflection server is not heavily loaded. You may want to suspend the account lockout policy while you change the password.
In a production environment, it is not good practice to use a regular user account for automated server processes that need to authenticate. Regular user accounts are more likely to have problems for a variety of reasons. For example, the password may change due to a normal password aging policy, or a person's local machine may somehow malfunction, causing the account to be locked out, thus causing the server process to also be locked out.
In a production environment, it is better practice to use a special account for the server process that is not normally used to login for daily business and that is not subject to an automatic password aging policy.