Password expired in Active Directory allows Authentication and Authorization

book

Article ID: 7196

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

In a Policy server 12.52 SP1 CR1 with Microsoft Active Directory 2008 User Directory with enhanced AD integration enabled and LDAP Name space, we expect the login with an expired account to be redirected to the password change page. Instead, when we use the password expired login, we get successfully authenticated and authorized. No redirection to the password change page is done. How can we fix this ?

 

Cause

It was found that there's a special handling for this Password Expired (data 532) case and from the code it seems that we expect the redirection to the password change page which is NOT happening. The caller of this function seems to be ignoring the nReason here and just does the user authentication based on the Boolean return value (true)

Environment

Policy Server 12.52 SP1 CR1User Directory Microsoft Active Directory 2008Enhance AD integration enabled.LDAP Name space used.Fine grained password policy used on AD with Users Account Password is Expired in AD, such that user attribute is set as follows :o msDs-User-Account-Control-Computed = n = (Password_Expired)o userAccountControl =0X200 = Normal_Account

Resolution

In order to support AD password policy to send exact authreasons as received from AD a new 

registry key has been added :

 

ADPasswordPolicyPrioritySet under HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

ADPasswordPolicyPrioritySet Type: DWord Value: 1 for enable, 0 for disable 

When this registry is set with 1 , AD password policy will be activated at SM to send the authreasons accordingly
 
This new key is available from Policy Server 12.52 SP1 CR05