getUserFromSMTOKEN fails with Exception getting administrator
search cancel

getUserFromSMTOKEN fails with Exception getting administrator


Article ID: 7830


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On


When integrated with SiteMinder policy server, Identity Manager intermittently throws the following errors when performing tasks that change the user password.

[12/11/16 8:58:42:596 EST] 00000122 SystemOut O 08:58:42,596 DEBUG [ims.tasktrack.LLSDK] Sending server reqest with ID: 19 for method [getUserFromSMTOKEN]
[12/11/16 8:58:42:659 EST] 00000122 SystemOut O 08:58:42,659 DEBUG [ims.tasktrack.LLSDK] Receiving server response for request with ID:19
[12/11/16 8:58:42:659 EST] 00000122 SystemOut O 08:58:42,659 DEBUG [ims.ui] Exception getting administrator ($SM${RC2}Yt5wh5ozldpnf/8f8Ze3WpQoKzcWW01JGZaNo8oQkL3lf8Q7QDB7AMmzFpgBFQ+snrYQO/K2WjO91vKbcRoqnyB6sakoGeVX1HIVc4+lG60=)
[facility=4 severity=2 reason=0 status=38 message=No items found] 


Any Identity Manager version that is integrated with SiteMinder where there may be multiple policy servers authenticating the user directory in question.


SiteMinder user directories can have Identity Manager handle password changes for users. In this configuration, a user may login to a SiteMinder protected resource and then be forced to reset their password due to password expiration or some other policy that forces a password change. In these cases, the users are authenticated and given an SMTOKEN value by the policy server. The user is then redirected to a public page on the Identity Manager server that is associated with this user directory. Identity Manager takes the SMTOKEN value and asks the policy server to validate it and provide the username that needs to have the password reset.

In some cases the policy server that Identity Manager asks to valid the SMTOKEN value is NOT the policy server that issued the token. This can happen if there are multiple policy servers protecting different resources and those policy stores have a shared key store.

This error may occur if the policy store's system times are not in sync, since the SMTOKEN value has a limited lifespan.


To resolve this problem, all of the Policy Server machines in the scenario should have the system synchronized against a common time server at the OS level. Please consult your OS documentation for further information on how to do this.