When running Web Agent, if user gives wrong login password when trying
to change its password through a Custom Password Services Page, then
the browser comes back to the Login Page and not on the Custom Change
Password Page. The browser sends a valid SMSESSION cookie.
PWS.fcc is in use to submit the new password :
@User=%User%
@username=%urldecode(User)%
@smretries=0
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY>
</BODY>
</HTML>
Web Agent 12.52SP1CR09 on OHS 12.1.3 on OEL 7;
Policy server 12.8 on OEL 6;
PWS.fcc is an old deprecated part of the password services which was
originally used by the deprecated smpwservicescgi (1).
Documentation mentions the DisallowForceLogin Registry Key that is
related to the above behavior (2).
Note that out of the box smpwservices.fcc is the default password
services, and DisallowForceLogin will only give precise message to the
smpwservices.fcc. By default, if the old password is wrong, the
browser will be redirected to smpwservices.fcc even without
DisallowForceLogin configured.
Set the DisallowForceLogin to 1 in the Policy Server to solve this
issue.
(1)
In the Web Agent 12.52SP1CR01, I don't find smpwservicescgi.exe
https://knowledge.broadcom.com/external/article?articleId=36934
(2)
Incorrect Password Message Does Not Appear
Symptom:
When a user submits a password change request that contains an invalid
current password, the Password Change Information screen does not open
with a message stating that the current password is incorrect. Rather,
the Policy Server redirects the user to:
- The login screen without the message if an On-Auth-Reject-Redirect
response is not bound to the policy configured with the user
directory
- The URL associated with the On-Auth-Reject-Redirect response bound
to the policy configured with the user directory
Solution:
Enable the DisallowForceLogin registry key, which is located at
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer.
DisallowForceLogin
Redirects users to the Password Change Information screen to re-enter
the current password when the change request contains an invalid
current password.
KeyType: REG_DWORD
Value: 0 (disabled) or 1 (enabled)
Default: 0 (disabled)
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/password-policy-troubleshooting.html