I am running Policy Server with Active Directory as User Store. When user account returns UserAccessControl = 512 and msDS-User-Account-Control-Computed 16 (what is actually 528 Enabled - lockout), then instead of having SMAUTHREASON = 24, I only have SMAUTHREASON = 7. Why?
This behavior is as designed.
You need to understand first that:
"The directory server's own account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that."
As SiteMinder depends on the behavior of the User Store, it will compute the SMAUTHREASON according to the fact it can access or not the account with the provided username and password :
"When the user is disabled in Directory Server (both LDAP and AD), then irrespective of SM configuration user is not allowed to login.
This is because SM "binds" to LDAP with the supplied credentials. This is same for AD & LDAP as well. For example, if a user is disabled in SunOne LDAP (right click user in SunOne onsole and make inactive), "bind" would fail - which means SM can't authenticate that user anymore."
So, if the account is locked as you stated:
528 Enabled - lockout
then SiteMinder will consider the account as "Admin disable" as it cannot access it, it is locked. When
"the reason "Admin disable" is set, then you will get SmAuthReason 7, as "Admin disable" is given precedence overany other type of reason."
If you want a finer behavior, you do need to use only SiteMinder values for passwords datas for the User Store or let SiteMinder control the Password data.
Further readings related to this topic: