Policy Server :: Active Directory : SmAuthReason

book

Article ID: 48804

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

I am running Policy Server with Active Directory as User Store. When user account returns UserAccessControl = 512 and msDS-User-Account-Control-Computed 16 (what is actually 528 Enabled - lockout), then instead of having SMAUTHREASON = 24, I only have SMAUTHREASON = 7. Why?

Solution:

This behavior is as designed.

You need to understand first that:

"The directory server's own account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that."

(https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC564874)

As SiteMinder depends on the behavior of the User Store, it will compute the SMAUTHREASON according to the fact it can access or not the account with the provided username and password :

"When the user is disabled in Directory Server (both LDAP and AD), then irrespective of SM configuration user is not allowed to login.

This is because SM "binds" to LDAP with the supplied credentials. This is same for AD & LDAP as well. For example, if a user is disabled in SunOne LDAP (right click user in SunOne onsole and make inactive), "bind" would fail - which means SM can't authenticate that user anymore."

(https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC564874)

So, if the account is locked as you stated:

528 Enabled - lockout

for

msDS-User-Account-Control-Computed 16
and
UserAccessControl 512

then SiteMinder will consider the account as "Admin disable" as it cannot access it, it is locked. When

"the reason "Admin disable" is set, then you will get SmAuthReason 7, as "Admin disable" is given precedence overany other type of reason."

(https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC573873)

If you want a finer behavior, you do need to use only SiteMinder values for passwords datas for the User Store or let SiteMinder control the Password data.

Further readings related to this topic:

https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC557680

https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search&searchID=TEC480272

Environment

Release:
Component: SMPLC