Disabled Flag values for siteminder password policy

book

Article ID: 211519

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

How can I tell the exact reason why a user account is disabled during authentication?

Cause

The answer will depend on if SiteMinder password policy is enabled or not.

SiteMinder requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.
If your user directory has a native password policy, this policy must be less-restrictive then the password policy or it must be disabled.
Otherwise the native password policy accepts or rejects passwords without notifying
SiteMinder
. Therefore,
SiteMinder 
cannot manage those passwords.
 
By default, if a user enters incorrect information when changing a password, SiteMinder returns a generic failure message. This message does not specify the failure reason.
Create and enable the DisallowForceLogin registry key to change the default behavior and explicitly tell users why the change failed.
 
If AD is used as user store, "Enhanced Active Directory Integration" should be turned on from Administrative UI under Policy Server Global Tools task.
This option improves the integration between the Policy Server user management feature and Password Services with Active Directory by synchronizing Active Directory user attributes with CA Single Sign-On mapped user attributes.
These attributes are:
  • accountExpires
  • userAccountControl
  • pwdLastSet
  • unicodePwd
  • lastLogon
  • lastLogonTimestamp
  • badPasswordTime
  • badPwdCount
  • lockoutTime
  • lockoutDuration
  • pwdMaxAge

Environment

Release : 12.8

Component : SITEMINDER -POLICY SERVER

Resolution

When SiteMinder user directory is created, there is an option to map LDAP directory attribute that SiteMinder uses to track disabled users.

For LDAP, this is a string attribute, usually Disabled Flag (RW) = carLicense.

The Disabled Flag values could possibly be:

0 – Enabled
1 – Admin disabled
2 – Max login failures
4 – Disabled due to inactivity
8 – Disabled due to pw expiring
16777216 – Force change password on next login

You could query the value from LDAP directly or let the agent to interpret the value into smauthreason, then render appropriate response to users.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/adjust-policy-server-global-settings.html