search cancel

Policy Server to stop processing User Stores when user is disabled


Article ID: 51159


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



Policy Server used to stop processing Authentication to other User
Stores, once user disabled status is returned. Now this behavior can
be changed by sertting a new Registry setting 'ReturnOnDisabledUser'.




IMPORTANT: This article contains information about modifying the

Before modifying the registry, make sure to create a backup of the
registry and ensure that you understand how to restore the registry if
a problem may occur.

For information about how to back up, restore, and edit the registry,
please review the relevant Microsoft Knowledge Base articles on

A registry setting 'ReturnOnDisabledUser' has been added. It will
decide whether Policy Server will continue to process authentication
to other user stores if it hits a disabled user.

Add the registry key :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\ReturnOnDisabledUser = 1
  ReturnOnDisabledUser=                    0x1; REG_DWORD

ReturnOnDisabledUser = 1:

  On finding the user disabled in the first User Store, Policy Server
  would not look into other configured UDs and declare the user as
  "Not Authenticated" .

ReturnOnDisabledUser = 0:

  If the user is found disabled, Policy Server will continue to look
  up through the other configured User Stores and mark the status as
  "Not Authenticated" only if the user is disabled in all User Stores.

This is applicable for LDAP User Stores, from Siteminder Policy Server
12SP2CR1 onwards.