Symantec Access Management

  • Private Community

  • 1.  CA SSO Force Change password

    Posted Nov 03, 2017 12:52 AM

    We are using CA SSO 12.6 and facing an unusual problem. The user directory being used is Active Directory and Enhanced AD Integration is not enabled.

     

    We have enabled Basic Password Services and applied policy on password age. We have noticed that when the policy server sets the user status as Force Change password in the SM user status field (as mapped in user directory config), the pwdLastSet value is also set to 0.

     

    This causes problems to other applications which are directly dependent on reading the pwdLastSet value to manage some transactions.

     

    Can anyone please help me understand if this behaviour is expected and whether I can stop this from happening.

     

    Thank you,

    Avi



  • 2.  Re: CA SSO Force Change password
    Best Answer

    Posted Nov 03, 2017 01:05 AM

    Yes, even if there is no Enhanced AD integration there is partial AD integration by default.

    This is causing the setting of pwdLastSet attribute.

     

    If you want Policy server NOT to set pwdLastSet attribute, you can do following :

     

    Follow these steps:

    1. Access the Policy Server host system and complete one of the following steps:

      • (Windows) Open the Registry Editor and navigate to the following location:

        SiteMinder\CurrentVersion\Ds\LDAPProvider
      • (UNIX) Open the sm.registry file. The default location of this file is siteminder_home/registry.
        • siteminder_home 
          Specifies the Policy Server installation path.
    2. Create IgnoreADpwdLastSet with a registry value type of REG_DWORD. 
      Value: 1
    3. Do one of the following steps:
      • (Windows) Exit the Registry Editor.
      • (UNIX) Save the sm.registry file.
    4. Restart the Policy Server.


  • 3.  Re: CA SSO Force Change password

    Posted Nov 03, 2017 01:24 AM

    Thanks for the detailed reply Ujwol.

     

    Can you tell me if making this change have any impact on the functioning of any password policy, password management function? We are using Identity Minder for Password Services.



  • 4.  Re: CA SSO Force Change password

    Posted Nov 03, 2017 01:32 AM

    From SiteMinder side, if you set this registry, then Policy server will neither read nor set this attribute. 

    I don't think this will impact any of the password functionality from SiteMinder perspective.

     

    However, I am not too sure if IM has any dependency on this attribute..



  • 5.  Re: CA SSO Force Change password

    Posted Nov 03, 2017 01:10 AM

    Hi , 

     

    The PS reads the following LDAP parameters in both non-enhanced and AD enhanced mode

    • userAccountControl
    • pwdlastSet
    • sAMAccountName
    • SM password data (blob)

    The PS reads the following additional LDAP parameters in AD enhanced mode Only:

    • accountExpires
    • maxPwdAge
    • lockoutTime
    • lockoutDuration

    The PS writes the following parameters in both non-enhanced and AD enhanced mode:

    • userAccountControl
    • SM password data (blob)
    • pwdlastSet

    The PS writes the following parameters in AD enhanced mode only:

    • unicodePwd
    • lockoutTime

    Note: A login failure will trigger AD to modify the following user attributes.
    These attributes are not currently used by SM:
    logonCount
    badPasswordTime

     

    Refer : What are the AD native attributes managed by the SiteMinder policy server? 

     

    Regards,

    Leo Joseph.