search cancel

Incorrect old password change redirects to login.fcc

book

Article ID: 214687

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running Web Agent, if user gives wrong login password when trying
to change its password through a Custom Password Services Page, then
the browser comes back to the Login Page and not on the Custom Change
Password Page. The browser sends a valid SMSESSION cookie.

PWS.fcc is in use to submit the new password :

    @User=%User%
    @username=%urldecode(User)%
    @smretries=0

    <HTML>
    <HEAD>
    <TITLE></TITLE>
    </HEAD>
    <BODY>
    </BODY>
    </HTML>

 

Cause

 

PWS.fcc is an old deprecated part of the password services which was
originally used by the deprecated smpwservicescgi (1).

Documentation mentions the DisallowForceLogin Registry Key that is
related to the above behavior (2).

Note that out of the box smpwservices.fcc is the default password
services, and DisallowForceLogin will only give precise message to the
smpwservices.fcc. By default, if the old password is wrong, the
browser will be redirected to smpwservices.fcc even without
DisallowForceLogin configured.

 

Environment

 

  Web Agent 12.52SP1CR09 on OHS 12.1.3 on OEL 7;
  Policy server 12.8 on OEL 6;

 

Resolution

 

Set the DisallowForceLogin to 1 in the Policy Server to solve this
issue.

 

Additional Information

 

(1)

    In the Web Agent 12.52SP1CR01, I don't find smpwservicescgi.exe
    https://knowledge.broadcom.com/external/article?articleId=36934

(2)

    Incorrect Password Message Does Not Appear

      Symptom:

 When a user submits a password change request that contains an invalid
 current password, the Password Change Information screen does not open
 with a message stating that the current password is incorrect. Rather,
 the Policy Server redirects the user to:

 - The login screen without the message if an On-Auth-Reject-Redirect
   response is not bound to the policy configured with the user
   directory

 - The URL associated with the On-Auth-Reject-Redirect response bound
   to the policy configured with the user directory

      Solution:

 Enable the DisallowForceLogin registry key, which is located at
 HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer.

 DisallowForceLogin

 Redirects users to the Password Change Information screen to re-enter
 the current password when the change request contains an invalid
 current password.

 KeyType: REG_DWORD
 Value: 0 (disabled) or 1 (enabled)
 Default: 0 (disabled)

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/password-policy-troubleshooting.html