Symantec Access Management

I'm part of a team working for a customer that is doing a first-time deployment of CA SSO.  Their user directory is AD LDS.  User objects have an objectClass of "userProxy", so we had to update several parameters in the Windows registry to accommodate this new object class.  All policies to date are enabled for all users in the directory, and we have not had any problems with users getting authorized. So far, so good.

We now want to be able to restrict a particular URI to a single service account.  We have created a separate realm so we can restrict access to the resource and have modified the policy accordingly.  The user is successfully authenticated, but gets an AzReject.  We are suspicious that the policy server and/or Windows is still lacking some required configuration element to be able to identify individual users in AD LDS.

Any suggestions would be appreciated!

objectClass of "userProxy" is not out of box in registry, registry change only takes care of LDAP search part. Maybe that gets you through authentication. But for AZ, the actual user DN is being compared with. It must match with "User Class" in policy definition as well, default it is set as "Validate DN".  It will be curious to see what the policy server trace log complains about with full tracing, was it failed due to DN or User Class not found.  If this implementation gets stuck, maybe think about other work around, e.g. AZ using a common LDAP attribute (emplyee type) that is not related to User Class, or unique DN at all.