SiteMinder SSO : Prevent Account Harvesting by exploiting account lockout
search cancel

SiteMinder SSO : Prevent Account Harvesting by exploiting account lockout


Article ID: 271627


Updated On:




Prevent Account Harvesting by exploiting account lockout.

Threat/Vulnerability Reported:


Username information is exposed when the account lockout state occurs due to the conditions set by the Active Directories Policies.

CVA 0042

CWE 204


PolicyServer 12.8


Failed login attempts cause the Usernames to be exposed within the URL because of the Password policies on the AD.


Use the smpwservices.fcc instead of the default login.fcc

  1. Verify from where the login fcc environment is being loaded.

From the WebAgentTrce logs:

[Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

  1. Go to the location C:\Program Files\CA\webagent\win64\samples/forms_en-US/


  1. Take backup of login_en-US.fcc


  1. Take backup of login_en-US.unauth


  1. Find smpwservices_en-US.fcc file duplicate it and rename it to login_en-US.fcc.


  1. Duplicate the newly created login_en-US.fcc and rename it to login_en-US.unauth. Both login_en-US.fcc and login_en-US.unauth files have same data.


  1. Go to PolicyServer, Polcies > Passwrod > Password Policies. Modify


  1. Change the Redirection URL to /siteminderagent/forms/login.fcc. And click Submit.

  1. On PolicyServer, got registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer
  2. Find the registry DisallowUsernameInURL, if not present create one. Select (DWORD 32-bit Value).

Set the value to 1.

  1. Restart the Policy Server Services.

This will still show the SMAuthReason in the URL. If you are OK with it. You can stop here. If not, follow next steps.

If it is still consider vulnerable and may give hint with SMAuthReason code. And do not want to see the SMAuthReason, please continue.

  1. Modify the ACO to use SecureURL
  2. Restart the Agent.

Additional Information

You can also customize the message that appear on the screen like below,

Modify the login_en-US.fcc file to customize the Account information Message Displayed.

Go to the below and provide a suitable message.