ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Policy Server to stop processing User Stores when user is disabled

book

Article ID: 51159

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Policy Server used to stop processing Authentication to other User
Stores, once user disabled status is returned. Now this behavior can
be changed by sertting a new Registry setting 'ReturnOnDisabledUser'.

 

Resolution

 

IMPORTANT: This article contains information about modifying the
registry.

Before modifying the registry, make sure to create a backup of the
registry and ensure that you understand how to restore the registry if
a problem may occur.

For information about how to back up, restore, and edit the registry,
please review the relevant Microsoft Knowledge Base articles on
support.microsoft.com.

A registry setting 'ReturnOnDisabledUser' has been added. It will
decide whether Policy Server will continue to process authentication
to other user stores if it hits a disabled user.

Add the registry key :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\ReturnOnDisabledUser = 1
  ReturnOnDisabledUser=                    0x1; REG_DWORD

ReturnOnDisabledUser = 1:

  On finding the user disabled in the first User Store, Policy Server
  would not look into other configured UDs and declare the user as
  "Not Authenticated" .
  

ReturnOnDisabledUser = 0:

  If the user is found disabled, Policy Server will continue to look
  up through the other configured User Stores and mark the status as
  "Not Authenticated" only if the user is disabled in all User Stores.

This is applicable for LDAP User Stores, from Siteminder Policy Server
12SP2CR1 onwards.