Administrator cannot log in to Adminui Directly after Configuring Adminui External Authentication Store
Article ID: 40150
Updated On:
Products
Issue/Introduction
Administrator Cannot log in to Adminui Directly after Configuring Adminui External Authentication Store
After configuring adminui external authentication store for the first time, a user cannot log in to the adminui with either:
1) the siteminder superuser password
2) the superuser specified during the configuration
3) Any account in the directory just configured
Environment
WAMUI: 12.8.x
Cause
The DisabledState field, is required in the external authentication store setup, is a CA Single Sign On(SiteMinder) managed field and must be configured to use an EMPTY or NON externally managed field.
So in short, no pre-existing data should already exist in this field before you specify this in the external authentication store configuration as CA Single Sign On(SiteMinder) stores user info in this field.
The only exception to this is if you use the same field for DisabledState other external authentication stores.
Resolution
In order to re-do the external authentication store configuration wizard, please perform the following steps:
1) Stop the Administrative UI Service.
2) Delete the Adminui data folder
This is located under <InstallLocation>\CA\Siteminder\adminui\server\default\ or <InstallLocation>\CA\Siteminder\adminui\standalone\
3) Re-register the adminui at the policy server box using command line and running:
XPSRegClient siteminder:yourpassword -adminui-setup
Note: Substitute the SiteMinder superuser password for "yourpassword" above.
4) Start adminui service.
5) Log in to adminui using credentials in step 3.
6) In the adminui, restart the External Authentication Store Wizard.
Once the wizard cam be re-run, at the disabledstate option, make sure to use a field in the external LDAP like JPEGPhoto or LicencePlate(assuming they are not actually populated) for the DisabledState field in the external authentication store setup wizard.
If an empty field does not exist, please have the LDAP Administrators create one.
CA Single Sign On(SiteMinder) will use this field to store information about the user account.
Once configured, please let admins know that no other data can be stored in this field, otherwise users will end up locked out again.
Feedback
