ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to stop processing authentication from other user stores configured in the domain even if it hits a disabled user?


Article ID: 51159


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Policy Server used to stop processing Authentication to other User Stores, once user disabled status is returned. Now this behavior can be changed by sertting a new Registry setting 'ReturnOnDisabledUser'.


IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create a back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on

A registry setting 'ReturnOnDisabledUser' has been added that will decide on weather Policy Server will continue to process authentication to other user stores if it hits a disabled user.
Add the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\ReturnOnDisabledUser = 1
ReturnOnDisabledUser = 1:
On finding the user disabled in first user store, Policy server would not look into other configured UDs and declare the user as "Not Authenticated".
ReturnOnDisabledUser = 0:
If the user is found disabled, Policy Server will continue to lookup through the other configured user stores and mark the status as "Not Authenticated" only if user is disabled in all user stores

This is applicable for LDAP user stores, from siteminder policy server version-R12 SP2 CR1 onwards.


Component: SMPLC