This is SM/IDM integrated environment. Where IDM password policy is in use.
Password change url target is: https://im-host.example.com/iam/im/SelfServiceDomain/ui/index.jsp?task.tag=PasswordServices
Admin selects "user must change password" from IDM console, upon first login, user receives error in smtracedefault.log [** Status: Not Authenticated.], even though correct password was entered.
Is this expected?
Does this indicate a siteminder problem since user failed Authentication by SiteMinder?
SiteMinder Policy Server: 12.8.7
IDM Server: 14.5
IDM user store: Database.
Product is working as designed. The cause is with local IDM environment configuration.
When testing IDM tracking international users, an IDM attribute 'IsAutomatedIntlProofing' was introduced sometime into IM environment directory.xml.
The column "IsAutomatedIntlProofing" was added to the IDM directory.xml, but was never added the column to the actual IDM user store DB.
With missing this DB column, DB SQL query fails with error in siteminder policy server trace, subsequenlty, IDM never received the required user attribute it was looking for.
[Microsoft SQL Server]Invalid column name 'IsAutomatedIntlProofing'.][][][][][][][ODBC Error: State = 42S22 Internal Code = 207 - s - MappedResult:-4007 and never return intended result.
This error is aligned with IDM side IM.log error:
10:20:07,382 WARN [ims.ui] orig SMTOKEN : $SM${AES}3ldq..........................
10:20:07,382 DEBUG [ims.tasktrack.LLSDK] Sending server reqest with ID: 161 for method [getUserFromSMTOKEN]
10:20:07,509 DEBUG [ims.tasktrack.LLSDK] Receiving server response for request with ID:161
10:20:07,509 DEBUG [ims.ui] Exception getting administrator ($SM${AES}3ldq....................)
com.netegrity.llsdk6.imsapi.exception.NoSuchObjectException: No items found
..
10:20:07,511 WARN [ims.ui] Unable to determine user from SiteMinder token: No items found
In the environment that does not have this IDM attribute change, there is no similar SQL error and password change is working fine.
User failed Authentication by SiteMinder during IDM password change is expected behavior.
When Admin select "user must change password" from IDM console, the first authentication will always fail. At the same time, smauthreason is set to 20, which means "user must change password".
Subsequent the agent direct calls to IDM https://im-host.example.com/iam/im/SelfServiceDomain/ui/index.jsp?task.tag=PasswordServices&SMENC=UTF-8&SMTOKEN={AES}BoN..., which policy server responds as [** Status: Protected. ], but will grant access since it is anonymous authentication.
Next, it is up to IDM component to decode the user identity from SMTOKEN by contacting policy server using LLSDK call, and take it to next stage of data flow.
IDM user store DB query failure on the policy server side resulted that IDM was not able to retrieve user identity using SMTOKEN.
Hence everything stops here, user is logged out by IDM, and redirected back to login page again.
One option to fix this issue is by adding the missing column, IsAutomatedIntlProofing, to the user table, so directory,xml configuration matches with DB column.
Alternatively, drop the IME environment and directory completely, and recreated the whole IDM environment without that IDM attribute 'IsAutomatedIntlProofing'.
Other possible root causes and troubleshooting steps are already explored below:
Verify the username in the IDM password task screen and ensuring it corresponds to the correct attributes in the directory.xml.
IDM data object corruption. One should not edit the IDM object via SiteMinder admin ui, if the object was originally created by IDM console or deployment.