Symantec Access Management

Dear all,

Our security policy is users to change the password every 30 days. CA SSO understands the policy and responds with the following url:

We have created an unprotected page in which users can request password change and we need to redirect the above  Password Change Request default page to our's unprotected page.

We tried to modify files smpwservices.fcc and smpwservices.unauth using html code under \CA\webagent\win64\samples\forms at the IIS that handles the login attempts but above forms continues to responds.

We also tried to configure a Password Policy with a redirection URL but above forms but we get the following error:

The chosen "User Directory" is not configured to setup password policies. It should have a valid "Blob attribute".

Is there a possibility to succeed the implementation using CA Single Sign-On (Basic) Password Services ?

Is there a documentation that can help us with the implementation ?

If you have any comments or suggestions please feel free to let us know.

BR,

Hi BR,

With Siteminder in the picture, when user account status invokes the password services (native or Siteminder password policy), user is redirected to the smpwservices.fcc page by default.

How to redirect user to a customized error page when password services is invoked?

If Password Services is invoked and there is no SM password policy configured, set the environment variable NETE_PWSERVICES_REDIRECT at Policy Server, to a relative path for smpwservices.fcc or relative path for customized error page e.g: /siteminderagent/forms/smpwservices.fcc.
If the error page is hosted on a specific server, define the full URL e.g: http://support.ca.com/index.asp.

For more information refer :

https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/05/07/redirect-user-to-a-customized-error-page-when-password-services-is-invoked

Regards,

Leo Joseph.

The chosen "User Directory" is not configured to setup password policies. It should have a valid "Blob attribute".

Its expecting a value under Admin UI>Infrastructure > Directory >User Directory >  User Attributes (Password Data (RW)

Directory Attributes Overview - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Regards,

Leo Joseph.

Thank you for your reply!

Under Password Dara (RW) can we put a dummy value?

BR,

Yes . See to that attribute is unique and not used. 

The attributes you specify must:

• Exist in your database
• Be the correct type, either string or binary
• Not be used to store other types of data (only for read/write attributes)

Regards,

Leo Joseph.

Dear Joseph,

We used a value (=AUTH_PASSWORD) and when we try to reproduce the error we redirected at the same login page.

We did not redirected to the desired page. Even if we get the followong error at the Policy Server:

 [38] Password must change. 8009030C: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 773, v1771 [] []

What do you mean by saying that the attribute must exist at ours database?

Password Data (RW) 

Ex: carLicense,audio or any attributes that is not used .

To customize the redirection destination, you must set the NETE_PWSERVICES_REDIRECT environment variable to the relative URL of the redirect destination on policy server. After setting this variable, restart the Policy Server so this new variable can take effect. 

PASSWORD POLICY URL 

Regards,

Leo Joseph.

Dear Joseph,

By NETE_PWSERVICES_REDIRECT environment variable you mean the Redirection URL at the password policy?

Hi,

You need to customize your login page, for example if you want to customize the page for password change then you need to design the in the below portion of the login.fcc

 //Auth Reason = 18 - Password change option
      else if ($$smauthreason$$ == 18)
      {
     
  if ("$$username$$" == "")
  {
        document.write("<TR>");
        document.write("    <TD WIDTH='5' HEIGHT='25'>");
       document.write("    <BR>");
       document.write("    </TD>");
       document.write("    <TD NOWRAP WIDTH='100%' BGCOLOR='#FFEFD5' colspan='4' height='25'>");
       document.write("        <FONT face='Arial,Helvetica'> <p> $$SMPWUSRMSG$$ <p>Please change your current password before continuing.</FONT>");
       document.write("    </TD>");
       document.write("</TR>");
 document.write("<TR>");
      document.write("    <TD WIDTH='5' HEIGHT='25'>");
        document.write("    <BR>");
        document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5'>");
        document.write("        <FONT face='Arial,Helvetica'><p>UserName</FONT><font size='-1' color='#FF0000' face='arial,helvetica'>^*</font>");
        document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5'>");
        document.write("        <INPUT type='text' name='username' size='30' tabindex=1 onkeydown='searchKeyPress(event);'>");
        document.write("    </TD>");
        document.write("    <TD WIDTH='5' HEIGHT='25'>");
        document.write("    </TD>");
        document.write("</TR>");
        }
        else
        {
        document.write("<TR>");
        document.write("    <TD WIDTH='5' HEIGHT='25'>");
       document.write("    <BR>");
       document.write("    </TD>");
       document.write("    <TD NOWRAP WIDTH='100%' BGCOLOR='#FFEFD5' colspan='4' height='25'>");
       document.write("        <FONT face='Arial,Helvetica'><B>$$username$$</B> <p> $$SMPWUSRMSG$$ <p>Please change your current password before continuing.</FONT>");
       document.write("    </TD>");
       document.write("</TR>");
       }
        document.write("<TR>");
       document.write("    <TD WIDTH='5' HEIGHT='25'>");
       document.write("    <BR>");
       document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5'>");
        document.write("        <FONT face='Arial,Helvetica'><p>Old Password</FONT><font size='-1' color='#FF0000' face='arial,helvetica'>^*</font>");
        document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5'>");
        document.write("        <INPUT type='password' name='PASSWORD' size='30' tabindex=2 onkeydown='searchKeyPress(event);'>");
        document.write("    </TD>");
        document.write("    <TD WIDTH='5' HEIGHT='25'>");
        document.write("    </TD>");
        document.write("</TR>");
        document.write("<TR>");
       document.write("    <TD WIDTH='5' HEIGHT='25'>");
       document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5'>");
        document.write("        <FONT face='Arial,Helvetica'><p>New Password</FONT><font size='-1' color='#FF0000' face='arial,helvetica'>^*</font>");
        document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5' valign='middle' nowrap>");
        document.write("        <INPUT type='password' name='NEWPASSWORD' size='30' tabindex=3 onkeydown='searchKeyPress(event);'>");
        document.write("    </TD>");
        document.write("    <TD WIDTH='5' HEIGHT='25'>");
        document.write("    </TD>");
        document.write("</TR>");
        document.write("<TR>");
       document.write("    <TD WIDTH='5' HEIGHT='25'>");
       document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5'>");
        document.write("        <FONT face='Arial,Helvetica'><p>Confirm New Password</FONT><font size='-1' color='#FF0000' face='arial,helvetica'>^*</font>");
        document.write("    </TD>");
        document.write("    <TD ALIGN='LEFT' WIDTH='50%' HEIGHT='25' BGCOLOR='#FFEFD5' nowrap>");
        document.write("        <INPUT type='password' name='CONFIRMATION' size='30' tabindex=4 onkeydown='searchKeyPress(event);'>");
        document.write("    </TD>");
        document.write("    <TD WIDTH='5' HEIGHT='25'>");
        document.write("    </TD>");
        document.write("</TR>");
     } //Auth Reason = 18

    //Auth Reason 19 - Account disabled due to inactivity     
    else if ($$smauthreason$$ == 19)
      {
        document.write("<TR>");
     document.write("<TD NOWRAP WIDTH='100%' BGCOLOR='#FFEFD5' height='26'>");
     document.write("<font face='Arial, Helvetica'><B>$$username$$</B> you cannot access your account because your password has expired.<p>Please contact your Security Administrator or Help Desk.</font>");
     document.write("    </TD>");
     document.write("</TR>");
      }

Thanks

Shankar

Also you can check below thread, how to customize login page.

https://communities.ca.com/docs/DOC-231150607

Thanks

Shankar

Hi BR,

When you get below error in policy server logs, Based on this error policy server returns SMAUTHREASON code. As Shankar mentioned, You would need customize the smpwservices based on the SMAUTHREASON and redirect to custom pages accordingly.

[38] Password must change. 8009030C: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 773, v1771 [] []

Please refer below link for best practice to customize smpwservices.

What is the best practice to customize smpwservices.fcc? 

Also please refer below mentioned KB article for all the SMAUTHREASON codes.

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec450869.html 

Thanks,

Sharan

Policy Server will redirect user to the defined page according to the NETE_PWSERVICES_REDIRECT environment variable, if either criteria is fulfilled:

Redirect URL in SM password policy is blank OR
No SM password policy is defined

NETE_PWSERVICES_REDIRECT   we should set the environment variable in the Policy Server.

Regards,

Leo Joseph.