Policy Server with Active Directory and Password Policies interaction
search cancel

Policy Server with Active Directory and Password Policies interaction


Article ID: 48927


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



Running Policy Server with Active Directory as User Store, by using Password Services, when the user sets a new password through SiteMinder, the native Active Directory password policy for re-using the old password is not applied, so the user can set an old password on the SiteMinder side, but not when setting it by Active Directory.




The problem comes from the fact both password policies apply, ie. SiteMinder and Active Directory.

First, consider that :

"The directory server's account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that." (1).

Second, from documentation, disable the Directory Password Services if SiteMinder should manage it (2):

  "If you plan to implement password policies in your enterprise, consider the following items:

   - SiteMinder requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.

   - If your user directory has a native password policy, this policy must be less-restrictive then the password policy or it must be disabled.
     Otherwise the native password policy accepts or rejects passwords without notifying SiteMinder. Therefore, SiteMinder cannot manage those passwords."

As SiteMinder depends on the behavior of the User Store, the attributes managed by the Policy Server with non-enhanced and AD enhanced mode here to manage the SiteMinder Password Services with Active Directory (3):

So to handle expired passwords, and locked or disabled fields, make a match between the Active Directory (AD) Attribute with the SiteMinder ones.

Further readings:

Using Enhanced Active Directory Integration, some prerequisites need to be set (4).

Note that SiteMinder delivers Advance Password Services modules that give finer management of SiteMinder Password Services with Active Directory (5)(6).


Additional Information



    User Store Disable Flag : Behavior among Active Directory AD and LDAP


    Password Policy Considerations


    Managed Active Directory (AD) native attributes in the Policy Server


    Enhanced Active Directory integration pre-requisites for Policy Server


    Microsoft Active Directories

      APS does support Microsoft Active Directory and this support is
      provided using its LDAP interface. However, because Active
      Directory deviates so extensively from the LDAP specification,
      APS contains a significant amount of special processing and thus
      Active Directory is discussed in its own section.

      APS supports Microsoft Active Directories running in LDAP mode



    Advanced Password Services Configuration


1558534991865TEC589990.zip get_app