How to resolve the "Error: Exception User might not have required permissions to get group information" when logging into the R12.52 SP1 ProxyUI.

book

Article ID: 41809

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Symptoms:

When logging into the R12.52 SP1 Single Sign-On (fka SiteMinder) Access Control Gateway (fka Secure Proxy Server) ProxyUI an error message is displayed stating "Error: Exception User might not have required permissions to get group information", and the ProxyUI logs show the following error; "ERROR - com.ca.sps.adminui.xpsclient.XPSConnection - Unable to establish administration context.". If I then navigate to the "Administration" Tab and click the "Group Configuration" link and click on the "Add" button, the following error is displayed; "Error: Unable to Add a Group".

 

Environment:

R12.52 SP1 Single Sign-On (fka SiteMinder) Policy Server

R12.52 SP1 Single Sign-On Access Control Gateway (fka Secure Proxy Server)

 

Cause:

If the User logging into the ProxyUI is authenticated\authorized from a User Directory in the ProxyUI Domain that is not properly configured against the same User Directory as the External Administratos Store in SiteMinder, then the user is not considered to be a SiteMinder Administrator and these error messages will be encountered. In order to create a Group Configuration in the ProxyUI, the logged in user must be a Single Sign-On/SiteMinder Administrator. 

 

Resolution:

To allow a SiteMinder Administrator to create Group Configurations within the ProxyUI, a User Directory Connection must be created against the same User Directory that was configured as the External Administrator Store, and the connection information must match the connection information entered in the External Administator Store configuration. If the Server information for the External Administrator Store was entered by "IP:PORT", then the Server information for the User Directory Conection must also be defined by "IP:PORT". If the Server information for the External Administrator Store was entered by "FQDN:PORT", then the Server information for the User Directory Conection must also be defined by "FQDN:PORT".

 

Further, if the Server information for the External Administrator Store is configured with failover/load-balancing, then the Server information for the User Directory Conection must also be defined with failover/load-balancing. The User Directory connection information for the User Directory in the ProxyUI Domain must "mirror" the connection information defined for the External Administrator Store in order for a User authenticated\Authorized from the User Directory to be considered a SiteMinder Administrator and the ProxyUI to establish the administration context.

 

If the External Administrative User Store was of type AD, ADLDS, or ADAM, the User Directory configured to protect the ProxyUI should be created in the LDAP namespace to allow the Authenticated User to be identified as a SiteMinder Administrator.

 

Additional Information:

 Configure an External Administrator Store - https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/administrators/configure-an-external-administrator-store

Protect the Administrative User Interface - https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/installing/ca-siteminder-sps/install-upgrade-and-configure-ca-siteminder-sps#Install,Upgrade,andConfigureCASiteMinder®SPS-ProtecttheAdministrativeUserInterface

Environment

Release:
Component: SMSPS