ERROR][sm-Ldap-00880] PropName: 'btUCG',

book

Article ID: 207952

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running a Policy Server and we get the error :

  10840/55][Thu Jan 28 2021
  10:53:12][SmDsLdapFunctionImpl.cpp:1367][ERROR][sm-Ldap-00880]
  (SetUserProp) DN:
  'cn=jsmith,dc=training,dc=com',
  PropName: 'myProp', PropValue:
  '202101010101:mydomain\myuser:[NDSEnc-J]fasdfsdfFSDfsdfsfsd44fsd1fsd'
  . Status: Error 50 . Insufficient access

which shows that the Policy Server still search for an Attribute of
the name myProp. You have removed UCG library from our Authscheme and
Response.

More, the other Authentication Scheme has this URL configured :

  URL=https://myhost.mydomain.com/siteminderagent/login.fcc;ATTR=myProp;DOMAIN=mydomain;USERNAMEATTR=cn;ENCKEY=[NDSEnc-B]sfdfFSdFSDFFSDFRETGergbDFgDf121dszd45as4d;UPDATEWINDOW=-1

How can we fix this ?

 

Resolution

 

At first glance, if you remove the libraries for UGC, this means you
won't use UGC anymore, and as such you should remove configuration for
UGC. Looking at the files you provided, it seems that you have
installed that component on Web Server too. We see in the URL
"ucgupdate" which is default URI when installing that module on the
Web Server.

Reading the documentation, when you install and configure UGC, you
need to create a Custom Authentication Scheme :

  eTrust SiteMinder User Context Gateway Installation and Configuration
  Guide Version 1.4

    1. Custom Authentication Scheme

    - The Custom Authentication Scheme takes the SiteMinder
      user password and checks it against the User Directory.
      If it is correct, it adds the password to the user attribute
      designated for the user's NT credentials and stores it in
      the required format.4
      If the User Directory credentials are not the same as of NT
      domain used by the Web Server, this component should not
      be used.

    2. Active Response

    - The Active Response provides the configuration
      information to the ISAPI filter. This component is
      always used.

    p.6

    When running the installer on Windows 2000 or 2003 the
    installer offers to automatically configure IIS to use the UCG
    ISAPI filter and/or Wildcard Extension Map. The same dialog
    offers to create a virtual directory (named /ucgupdate/) to host
    the "update credentials" ASP file. Generally there is no reason
    to disable either of these options.

    p.14

    When a user logs into a realm protected with the UCG Authentication
    Scheme the scheme will automatically capture the user's credentials
    and store them, in an encrypted form, in a user attribute. The
    setting ATTR is used to specify the attribute that the UCG should
    use for this purpose.

    p.17

  https://ftpdocs.broadcom.com/phpdocs/7/5262/User_Context_Gateway_14.pdf