We're running a Policy Server and when this one cannot authenticate a
user, the smauthreason is always set to 0 even if the User Store gives
back the reason why the user cannot be authenticated :
AuthReject myPolicyServer [25/Jan/2021:11:32:16 +0100] "10.0.0.1
myUserA" "myApp GET /" [] [0] TSS7100E 001 J=MYUSERA A=00000
T=AD44414 F=XAAXX - Acid Suspended TSS7141E Use of Accessor ID
Suspended [] []
AuthReject myPolicyServer [19/Jan/2021:10:42:13 +0100] "10.0.0.1
myUserB" "myApp GET /" [] [0] TSS7100E 007 J=MADSDE1 A=MYUSERB
T=AD44414 F=XAAXX - Password Missing TSS7102E Password Missing []
[]
[...]
We've configured the User Directory following that documentation :
Configure a CA LDAP Server for z/OS User Directory Connection
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-a-ca-ldap-server-for-z-os-user-directory-connection.html
Why does the Policy Server always returns AuthReason as 0 ?
Policy Server 12.8SP3 on RedHat 7
At first glance, TSS as User Store has some limitations.
As per documentation, integration of Siteminder with TSS doesn't allow
the use of password services.
CA LDAP Server for z/OS does not support the following features:
Password Services
Password Services is not supported.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-a-ca-ldap-server-for-z-os-user-directory-connection.html
When looking at the smaccess log snippet you gave, we see that all
messages are related to account state and password :
Password Missing TSS7102E Password Missing
Incorrect Password TSS7101E Password is Incorrect
Password Violation Threshold Exceeded
Password Has Expired. New Password Missing
Password is Incorrect
Incorrect Password TSS7101E Password is Incorrect TSS7100E Excessive
PW Violations TSS7120E Password Violation Threshold Exceeded Acid
Suspended TSS7141E Use of Accessor ID Suspended
The SmAuthReason = 0 means that user needs to login. As out of the box
Policy Server doesn't handle the different situation regarding the
state of the account to redirect to password services
(smpwservices.fcc), then this is as expected to see the smauthreason
being 0.
The "failed authentication" is related to the password and as such the
password services. Without password services, if the password is not
the expected one, the only possible next step for the user is to come
back to the login page. And this is what the product does out of the
box.
The errors seen are related to password state :
8.2 Security Audit
The reaching of an unsuccessful authentication attempt threshold,
the actions taken when the threshold is reached, and any actions
taken to restore the normal state
N 0080000 XE18 17150 11:20:58.14
JOB00049 00000090 TSS7120E Password Violation Threshold Exceeded
N 0080000 XE18 17150 11:20:58.14 JOB00049 00000090 TSS7100E
001 J=BAHDE01C A=USER1 T=INTRDR F=BATCH - ACID SUSPENDED
N 0020000 XE18 17150 11:20:58.14 JOB00049 00000090 TSS7141E
Use of Accessor ID Suspended
https://commoncriteriaportal.org/files/epfiles/st_vid10810-st.pdf
TSS7141E
USE OF ACCESSOR ID SUSPENDED
Reason:
Use of the ACID has been revoked.
Action:
An administrator must remove the ACID's suspension by using the TSS
REMOVE function.
https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/messages/tss-messages/tss7100e-to-tss7199a/tss7141e.html