Use case:

Policy Server1 (PS1) configured with AdminUI1

Policy Server2 (PS2) configured with AdminUI2

Logon to AdminUI1 and create "Legacy Administrator" 'admin1'.

admin1 can logon to AdminUI1 successfully.

admin1 logon to AdminUI2 and get the following error in the AdminUI server.log file.

2021-01-01 01:01:01,011 [ERROR] com.ca.siteminder.framework.xps.security.AdministratorRelationship [] - Failed to fetch administrator record for user: [admin1] uid=admin1,ou=Administrators,ou=SiteMinder,dc=xx,dc=xx,dc=xx,dc=xxx
com.ca.siteminder.uiagent.UIAgentException: Cause: java.lang.RuntimeException: Unable to establish administration context.

Release : 12.8.0x

Component : SITEMINDER WAM UI

Legacy Administrator is for legacy admin activities such as Trusted Host Registration and etc.

An Admin account for logon to AdminUI is separate object.

But when you create a Legacy Administrator, XPS Layer of same Admin Account is also created.

However, ServerCommand is only created for the Legacy Admin object and not the XPS Layer of same account object.

As a result, Legacy Admin account is recognized by all Policy Server but not the AdminUI logon account.

"Legacy Administrator" is to create "Legacy Administrator" and this is working fine.

The XPS Layer of Admin Account is correctly replicated to other Policy Stores but as there is no ServerCommand, other Policy Servers are unaware of the existence of the object.

1. If you restart the PS2, it will fetch everything from the policy store so the XPS Layer Admin object is also fetched so 'admin1' can logon to AdminUI2.
2. You can also create the XPS Administrator manually from AdminUI2 with the matching username 'admin1'. Then 'admin1' can logon to AdminUI2.