Management of Authentication failure when using TSS

book

Article ID: 208669

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

We're running a Policy Server and when this one cannot authenticate a
user, the smauthreason is always set to 0 even if the User Store gives
back the reason why the user cannot be authenticated :

    AuthReject myPolicyServer [25/Jan/2021:11:32:16 +0100] "10.0.0.1
    myUserA" "myApp GET /" [] [0] TSS7100E 001 J=MYUSERA A=00000
    T=AD44414 F=XAAXX - Acid Suspended TSS7141E Use of Accessor ID
    Suspended [] []

    AuthReject myPolicyServer [19/Jan/2021:10:42:13 +0100] "10.0.0.1
    myUserB" "myApp GET /" [] [0] TSS7100E 007 J=MADSDE1 A=MYUSERB
    T=AD44414 F=XAAXX - Password Missing TSS7102E Password Missing []
    []

    [...]

We've configured the User Directory following that documentation :

  Configure a CA LDAP Server for z/OS User Directory Connection
  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-a-ca-ldap-server-for-z-os-user-directory-connection.html

Why does the Policy Server always returns AuthReason as 0 ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

At first glance, TSS as User Store has some limitations.

As per documentation, integration of Siteminder with TSS doesn't allow
the use of password services.

  CA LDAP Server for z/OS does not support the following features:
  
    Password Services
    Password Services is not supported.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-a-ca-ldap-server-for-z-os-user-directory-connection.html

When looking at the smaccess log snippet you gave, we see that all
messages are related to account state and password :

  Password Missing TSS7102E Password Missing
  Incorrect Password TSS7101E Password is Incorrect
  Password Violation Threshold Exceeded
  Password Has Expired. New Password Missing
  Password is Incorrect

  Incorrect Password TSS7101E Password is Incorrect TSS7100E Excessive
  PW Violations TSS7120E Password Violation Threshold Exceeded Acid
  Suspended TSS7141E Use of Accessor ID Suspended


The SmAuthReason = 0 means that user needs to login. As out of the box
Policy Server doesn't handle the different situation regarding the
state of the account to redirect to password services
(smpwservices.fcc), then this is as expected to see the smauthreason
being 0.

The "failed authentication" is related to the password and as such the
password services. Without password services, if the password is not
the expected one, the only possible next step for the user is to come
back to the login page. And this is what the product does out of the
box.

The errors seen are related to password state :

8.2 Security Audit

  The reaching of an unsuccessful authentication attempt threshold,
  the actions taken when the threshold is reached, and any actions
  taken to restore the normal state 

  N 0080000 XE18 17150 11:20:58.14
  JOB00049 00000090 TSS7120E Password Violation Threshold Exceeded

  N 0080000 XE18 17150 11:20:58.14 JOB00049 00000090 TSS7100E
  001 J=BAHDE01C A=USER1 T=INTRDR F=BATCH - ACID SUSPENDED

  N 0020000 XE18 17150 11:20:58.14 JOB00049 00000090 TSS7141E
  Use of Accessor ID Suspended

https://commoncriteriaportal.org/files/epfiles/st_vid10810-st.pdf

TSS7141E

  USE OF ACCESSOR ID SUSPENDED

  Reason:

  Use of the ACID has been revoked.

  Action:

  An administrator must remove the ACID's suspension by using the TSS
  REMOVE function.

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/messages/tss-messages/tss7100e-to-tss7199a/tss7141e.html