HONGXU LIU

AD Password Services problems after upgrading to R12.52 SP01 CR05 and CR06

Discussion created by HONGXU LIU Employee on Nov 16, 2016
Latest reply on Oct 25, 2017 by Ujwol Shrestha

Some clients have reported Active Directory Password Services problems after upgrading to R12.52 SP01 CR05 and CR06.

Depending upon password policy used, configuration setting and what customization might be already in place, use case scenarios may be observed as:

 

use case: User has expired password, but is not prompted for password change, just go back to login page.  

use case: Locked out account still allows users to try credentials.

use case: During password change process, if new password given does not meet the minimum 8 character limit enforced by AD policy. SMAUTHREASON shows 1 every time in smaccess.log except on initial access of login page (smauthreason 0).

use case: It takes two times (instead one) of changing password process before user can login again.

First time changing password always fails. Some reports seeing siteminder is getting SMAUTHREASON=1.

 

If you encounter similar problems, please engage with CA support, a dev fix might be provided which includes a few policy server library files replacement.

 

  1.      Is the issue applicable to only AD user store or others as well?

Yes,  this is applicable only for AD user store and password policy is enabled at AD. The code that is affected is completely based on the AD error codes received.

  1.      Issue applicable from CR5 or CR6 onwards ?

Correct, as explained there was an issue with redirection that affected and addressed with 12.52 SP01 CR06 + Devfix

  1.      What are all the possible failing scenarios, any workaround, root cause?

Please refer to the Table#2. These are the scenarios effected.  

 

There has been a new change since1252 SP01 CR05 and CR06 that effecting the AD Password Services as part of code effort to get appropriate smauthreason codes enhancement.

 

Table #1

AD Error code          

AD Error

1252 SP01 CR04 SMAUTHREASON

After 1252 SP01 CR05 with Fix

533   ERROR_ACCOUNT_DISABLED

Sm_Api_Reason_UserDisabled   7

Sm_Api_Reason_UserDisabled     7

775  ERROR_ACCOUNT_LOCKED_OUT

Sm_Api_Reason_UserDisabled   7

Sm_Api_Reason_ExcessiveFailedLoginAttempts   24

532 ERROR_PASSWORD_EXPIRED

Sm_Api_Reason_PwMustChange   1

Sm_Api_Reason_PwExpired   19

773 ERROR_PASSWORD_MUST_CHANGE

Sm_Api_Reason_PwMustChange   1

Sm_Api_Reason_PwMustChange  1

 

With these changes,  redirection of pages in case of change password are impacted. So with the complete fix 12.52 SP01  CR06+ Devfix  should work as per the below table

 

AD Error

R12.52 SP1 CR06 Build#2204 + DEVFIX

 

Enhance Active Directory Integration enabled

SmauthReason

Redirection

Enhance Active Directory Integration Disabled

SmauthReason

Redirection

533   ERROR_ACCOUNT_DISABLED

Sm_Api_Reason_UserDisabled    

7

Redirected to smpwservices.fcc

Sm_Api_Reason_UserDisabled

7

Redirected to smpwservices.fcc

775  ERROR_ACCOUNT_LOCKED_OUT

Sm_Api_Reason_ExcessiveFailedLoginAttempts 

24

Redirected to smpwservices.fcc

Sm_Api_Reason_ExcessiveFailedLoginAttempts 

0

Redirected to login.fcc

532 ERROR_PASSWORD_EXPIRED

Sm_Api_Reason_PwExpired  

19

Redirected to smpwservices.fcc

Sm_Api_Reason_PwExpired  

0

Redirected to login.fcc

773 ERROR_PASSWORD_MUST_CHANGE

Sm_Api_Reason_PwMustChange  

1

Redirected to smpwservices.fcc

Sm_Api_Reason_PwMustChange

1

Redirected to smpwservices.fcc

 

Outcomes