CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 31st May 2015

Basic Forgotten Password Services Configurations for IIS:

     1.      Extend User Directory schema to include APS attributes (<siteminder>\APS_Docs directory):

• Run the APSExpire utility [APSExpire JOBONE –v –A] against the user directory after schema is updated. APSExpire will update all of the users in your directory, initializing the smapsBaseDate and smapsNextAction attributes
• Ensure that every new user is created with the objectclass that allows access to the new attributes

2.      Create FPS virtual directory

• IIS – enable CGI-exe module from Handler Mappings, add and allow Forgot.exe (<webagent>\win32\bin\Web\FPS\Forgot.exe) to the ISAPI and CGI Restrictions

3.      Rename smaps.rename4aps.dll to smaps.dll (<siteminder>\bin)

4.      Edit APS.cfg:

• The Directory setting specifies the directory that FPS will search for users. Only a single directory is supported for FPS.
• Enable/ disable audit logging for FPS activity.
• You can opt to define different query to be used specifically for APS. It overrides the query by the same name defined in Siteminder.

5.      Edit SmPortal.cfg:

• Define the Policy Server IP address (MyServer.ip)
• Note the Agents defined in this file and create the same name 4.x agents in Policy Server

6.      To test forgotten password services, access http://<webserver hostname>/fps/identify.asp

NOTE: Before running APSExpire utility, please update APS.cfg JOBONE parameter:

• LDAP – IP address, network name or SiteMinder User Directory name of an LDAP directory defined to SiteMinder through the Policy Interface
• ODBC -- DSN name or the SiteMinder User Directory name of an ODBC user directory defined to SiteMinder through the Policy Interface