CirrusHi!
i am using google captcha. if i insert the right captcha and a wrong password the captcha disappears. is it by design? i want that the apm will ask for captcha verification if password is wrong, how can i config that?
Thanks, Aviv Hassidim
EmployeeA couple of details on how CAPTCHA and APM work.
Lets assume you have the following setup for your access policy.
Logon Page > AD Auth > Resource Assign > Allow
> fallback > Deny
The "Track Logon Failures" and "Display CAPTCHA After Number of Logon Attempts Equals" is tracked as user achieves Allow or Deny ending in the access policy. For Allow, it gets reset, for Deny it gets incremented.
If you have AD auth setup for example in your access poilcy and you use the defaults then you will have three attempts for entering password (as specified in AD Auth agent's settings) before you reach the Deny ending for the first time.
When you reach it, the failure counter for the user gets incremented. If tracking failures by username.
Next time (in a new access session) you're first presented with a logon page without captcha. This is intentional for "per user" counting - as opposite to "per IP" counting, here we can only apply CAPTCHA after we receive the username.
When it is entered along with the password, be this password correct or not, we encounter that the failure count for this user has exceeded the allowed limit. We need to expose CAPTCHA per the configuration and get a successful challenge.
We do expose it, this time without any fields for username and password as we have already got them at the previous step.
Now the next step depends on whether the CAPTCHA verification succeeds or fails:
If succeeds, we just go further in the access policy and try to to AD Auth.
If AD Auth also succeeds, we're good to go
If it fails, user will be requested to re-enter credentials again, but no CAPTCHA is presented this time as it has already been exposed for this access session and passed successfully
If fails, we now render the full logon page with both new CAPTCHA challenge and fields for credentials, however, the credentials entered along with CAPTCHA will only be considered if CAPTCHA is entered correctly.
As you can see if you are presented CAPTCHA and then pass but fail the AAA auth you will not be presented CAPTCHA again until after you hit Deny in the access policy and have started a new session.
Hope this helps!
-Seth