Symantec Access Management

Hello All, 

One of my user has enabled state '0' - meaning their password has not expired. As far as I understand, once Siteminder authenticates the user, Identity Manager should not attempt to reset the user's password in this case - correct? 

I am however getting the following error

Sending server reqest with ID: 203 for method [getUserFromSMTOKEN]
Receiving server response for request with ID:203

Exception getting administrator (-SM-(RC2)** [facility=4 severity=2 reason=0 status=38 message=No items found] error. 

I found the following doc for this issue, however I don't think the resolution fits my case.

https://comm.support.ca.com/kb/getuserfromsmtoken-fails-with-exception-getting-administrator/kb000007830

I only have one policy server and the time is in synch with my IDM server. 

Can't seem to understand the issue. 

Any other possible causes / fixes known to the community members? 

Policy Server Version : 12.52.0001.154

Thanks, Ferzana

Hi 

Exception getting administrator (-SM-(RC2)** [facility=4 severity=2 reason=0 status=38 message=No items found] error.

No items found means it did not find that user, when IDM send the request back to SM.

That can happen when using directory mapping,the "SMTOKEN" is generated against the AUTH directory (often in this problem case it was a AD directory).   

But when IDM sends the response back to SSO it says the user DN should be in the IMEnvironment directory (which is usually a CADir) - and then it does not find the user (using thier AD DN) in the CADir with that same DN. 

There should also be a stack trace in the IDM server.log - which was the main indicator for the issue. 

There were some patches with IDM that occurred to fix that, but off hand I am not sure which version of IDM had those fixes - and am unable to lookup that now - but should be a known issue for IDM fix. 

Hope that helps (and I'll see if I can look it up, or pass onto a IDM Engineer latter )

Cheers - Mark 

Hi Ferzana,

Please refer this KB article, you might have run into the similar issue, if not i would suggest you to open a support case.

Unable to retrieve user from the SM Token 

Regards

Ashok

Thanks Ashok. My issue IS the prefix -SM- being added. I removed that from my URL and was able to reach the Password Services Page just fine. 

How can I prevent this from happening? What generates that prefix and how can I modify it? 

Also, just to clarify - this has only affected our DEV environment. TEST and PROD are fine. the agent and IDM versions across environments are the same. 

Thanks, Ferzana

This boils down to compatibility issue between webagent(front-ending IDM) and IDM versions. what are your versions ?

The webagent full version is 12.52.108.2504 and my IDM Version is 12.6.4

Yes, it confirm's that it is a compatibility issue and got addressed since IDM 12.6.5.

CA Identity Manager 12.6 SP5 Latest Cumulative Release Download - CA Technologies 

It does not look like a new integration, Are you upgrading your SSO environment alone ? if yes, I would suggest you to stay with old version of webagent (whatever it is, even 6.x) as we have backward compatibility with the policyservers until you upgrade your IDM, having said that this will not stop you from upgrading your Policyserver. 

Let me know, your use case is different or if you have further questions on this.

A side note:

IDM 12.6.4 - EOS is OCT-2018, you may need to consider upgrading it to IDM14.2 which is most recent

Yes, this looks about the right time scale for the issue we debugged - thanks Ashok  Cheers - Mark