Error: 500 error with AD User Store
search cancel

Error: 500 error with AD User Store


Article ID: 49043


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



When user hits the URL having Active Directory as user store user gets 500 error in the browser, this happens when customer is using HTML based Auth Scheme or using Basic Authentication Scheme. Customer gets the below error in Event Viewer as

Log Name: Application
Source: SiteMinder Agent
Date: 4/4/2012 10:18:29 AM
Event ID: 26
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: LogonUser failed for specified user shown below.

In this error smps.log will not show any error and Webagent Trace logs/Policy server Trace logs shows that the user is successfully Authenticated/Authorized


When check the User Directory Configuration found "Use authenticated user's security context" was checked. Unchecking the Use authenticated user's security context the user was able to login to application with any issues.

Reason why user gets 500 error:

Workgroups do not support security context.

An User Directory is configured for AD and feature "Run in Authenticated User's Security Context" is selected. When the user accesses the protected resource on domain control server with valid credentials, a SSO session is generated. Now, in the same session the user tries to access resources on the workstation that is not part of the domain, the resource is denied

access because the user is not found on the workstation machine.

For Issue Resolution:

Set ACO "ForceIISproxyuser" to yes along with DefaultUsername and DefaultPassword, for the IIS web server that is in workgroup.

ForceIISproxyuser specifies whether the Web Agent uses an IIS proxy account to grant access to requested resources on IIS web servers to users who normally lack sufficient privileges to access the IIS web server.

Alternatively, either uncheck "Run in Authenticated User's Security Context" or configure the workstation machine so that it is part of the domain of the domain control server


Component: SMPLC