Policy Server :: Active Directory : Password Policies

book

Article ID: 48927

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction


I am running Policy Server with Active Directory as User Store, by

using Password Services, when user set a new password through
SiteMinder, the native Active Directory password policy for re-using
the old password is not applied, so user can set an old password on
the SiteMinder side, but not when setting it by Active Directory.

How can I fix this?

Environment


SiteMinder all versions

Resolution


The problem you get comes from the fact you use both password

policies, ie. SiteMinder and Active Directory.

First, you need to understand that :

User Store :: Disable Flag : Behavior among AD and LDAP

  "The directory server's own account status takes precedence over
  anything SiteMinder might configure. Therefore, if the user is
  disabled in Active Directory, no amount of SiteMinderconfiguration can
  fix that."

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=49860

Further, from documentation, you need to disable the Directory
Password Services if you want SiteMinder to manage it :

  Password Policy Considerations

  If you plan to implement password policies in your enterprise,
  consider the following items:

  - CA Single Sign-on requires read/write access to the user directory,
    including exclusive use of several attributes within that directory
    to store passwords and password–related information.

  [...]

  - If your user directory has a native password policy, this policy
    must be less-restrictive then the password policy or it must be
    disabled.  Otherwise the native password policy accepts or rejects
    passwords without notifying CA Single Sign-on. Therefore, CA Single
    Sign-on cannot manage those passwords.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/password-services-and-policies/how-to-configure-password-policies.html

As SiteMinder depends on the behavior of the User Store, you will find
the attributes managed by the Policy Server with non-enhanced and AD
enhanced mode here that will lead you to manage the SiteMinder
Password Services with Active Directory :

  What are the AD native attributes managed by the SiteMinder policy server?
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=50153

So to handle expired password, locked or disable field, you have to
match the AD Attribute with the SiteMinder ones.

Further readings :

Using Enhanced Active Directory Integration, you need to set the
following :

  Pre-requisites for enhanced Active Directory integration
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=54428

General considerations on Password Services with Enhanced Active
Directory Integration

  User Attributes - Inside Active Directory
  http://www.kouti.com/tables/userattributes.htm

Note that CA delivers Advance Password Services modules that gives
finer management of SiteMinder Password Services with Active
Directory:

Microsoft Active Directories

APS does support Microsoft Active Directory and this support is
provided using its LDAP interface. However, because Active Directory
deviates so extensively from the LDAP specification, APS contains a
significant amount of special processing and thus Active Directory is
discussed in its own section.

  APS supports Microsoft Active Directories running in LDAP mode only.
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/advanced-password-services-configuration/user-directories-schema-storage-and-capabilities/microsoft-active-directories.html

Attachments

1558534991865TEC589990.zip get_app