Policy Server User Directories search order to apply Password Policies

book

Article ID: 224140

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Siteminder Policy Server and protecting a resource in a
Domain having 2 User Directories, which one will trigger the Password
Policy first if the user has wrong password for in each of them ? Each
User Directory has it own Password Policy.

 

Environment

 

Policy Server all versions

 

Resolution

 

At first glance, in the AdminUI Domain General pane, you should see
the User Directories listed for that Domain. On the right side of each
of them, you'll see down and up arrow. This is to precise the position
of the User Directory. So the first on the top will be the first
visited and the last one, the last visited.

Then, for instance if you disable the user after 1 wrong password for
both Password Policies, then if the user presents the wrong password,
Policy Server will disable the user from the first User Directory,
then it will try to login the user against the second directory, and
it will disable the user then.

If the user is already disabled, a different scenario will occur and a
Policy Server key might help you to control the Policy Server
behavior.

As per documentation, by default, Policy Server will visit all the
User Directories until if finds one not disabled. This behavior can be
changed to stop at the first visited one (1).

So, when user is disabled, if you haven't set the Policy Server
registry with the above ReturnOnDisabledUser set to 1, then the
Password Policy executed will be the one of the last User Directory
visited.

 

Additional Information

 

(1)

    Limit Policy Server Search to One User Store during Authentication

      A single user can be stored in more than one user directory or
      database that is associated with a policy domain. This user has
      the same password in each user store. During the authentication
      process, the Policy Server can find that a user is disabled in one
      user store. However, by default, it continues searching for the
      user in all stores that are associated with the policy domain. The
      user fails authentication only if the Policy Server finds the user
      that is disabled in all associated user stores. The user is
      authenticated if it is enabled in any associated user store.

      This default behavior is configurable. Stop the Policy Server from
      searching directories after it finds the user that is disabled in
      a user store.

      Follow these steps:

      Add the registry key ReturnOnDisabledUser:
      Windows
      Add the registry key ReturnOnDisabledUser to the following location:
      HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion
      \PolicyServer

      Assign ReturnOnDisabledUser the value of one.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes.html