search cancel

Error: Ticket identity and user identity DO NOT MATCH SiebelConnector

book

Article ID: 257718

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

Running Policy Server with ERP Agent for Siebel, the Policy Server doesn't accept third party cookie, and reports the error:

[12/16/2022][11:48:08.506][11:48:08][27887][139786926733056][SmAuthUser.cpp:784][ServerTrace][][][][][][][][][][][][][][][][][][][][Ticket identity ('myUser') and user identity ('') DO NOT MATCH - possible attack][SiebelConnector: Ticket identity ('myUser') and user identity ('') DO NOT MATCH - possible attack]

Cause

 

The User Directory is Active Directory and the user identity is reported to have no value: ('').

smtracedefault.log:

[12/23/2022][10:34:02.184][10:34:02][2111][140644332857088][SmAuthUser.cpp:784][ServerTrace][][][][][][][][][][][][][][][][][][][][Failed to retrieve DN from ticket.][SiebelConnector: Failed to retrieve DN from ticket.]

[12/23/2022][10:34:02.189][10:34:02][2111][140644332857088][SmAuthUser.cpp:5578][CSmAuthUser::Authenticate][][][][EXT2006940][][][][Active Directory][][][][][][][][][][][][LDAP://ldap1.mydomain.com,ldap2.mydomain.com/CN=myUser,DC=training,DC=com][Authenticating user by the auth scheme]

[12/23/2022][10:34:02.189][10:34:02][2111][140644332857088][SmAuthUser.cpp:784][ServerTrace][][][][][][][][][][][][][][][][][][][][Loading configuration string FCC=https://myserver.mydomain.com/authscheme/myAuthScheme.html][SiebelConnector: Loading configuration string FCC=https://myserver.mydomain.com/authscheme/myAuthScheme.html]

[12/23/2022][10:34:02.192][10:34:02][2111][140644332857088][SmAuthUser.cpp:784][ServerTrace][][][][][][][][][][][][][][][][][][][][Ticket identity ('EXT2006940') and user identity ('') DO NOT MATCH - possible attack][SiebelConnector: Ticket identity ('myUser') and user identity ('') DO NOT MATCH - possible attack]

[12/23/2022][10:34:06.490][10:34:06][2111][140642386700032][SmAuthUser.cpp:784][ServerTrace][][][][][][][][][][][][][][][][][][][][LoginName not found Or EnforceAttrUsage is Yes. Using defined User Attribute.][SiebelConnector: LoginName not found Or EnforceAttrUsage is Yes. Using defined User Attribute.]

 

Resolution

 

In the Policy Server, add EnforceAttrUsage=Yes (1) parameter to the Active Response like:

  From export of Policy Store data in XML format:

   <StringValue>&lt;@lib=&quot;libSiebelSSOAuth.so&quot; func=&quot;GetSSOTicket&quot; param=&quot;ATTR=myAttr;SECRET=password&quot; @&gt;</StringValue>

  as

   <StringValue>&lt;@lib=&quot;libSiebelSSOAuth.so&quot; func=&quot;GetSSOTicket&quot; param=&quot;ATTR=myAttr;SECRET=password;EnforceAttrUsage=yes; &quot; @&gt;</StringValue>

 

Additional Information

 

(1)

    EnforceAttrUsage

       Specifies that CA SSO Agent for Siebel does not ignore the value
       set in the ATTR attribute.

       Values: Yes, No