Question:
We'd like to know if the Policy Server can understand and map the
return codes from LDAP AD-LDS into Siteminder smauthreason codes ?
Answer:
Indeed, the Policy Server is capable of that out of the box.
But you have to pay attention to existing issue about this
topic. Before the CR06, the Policy Server has issue to map correctly
the returns codes from AD into the correct smauthreason allowing
disable user to login among the others.
As such, we recommand you first to upgrade the Policy Server, Policy
Store and AdminUI to the latest 12.52SP1CR09 version :
Defects Fixed in 12.52 SP1 CR09
00919679 DE335297
Policy Server incorrectly recognizes AD LDS user store as AD user store.
00882334 DE326287
Policy Server fails to log in users with AD LDS as the user directory.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09
Defects Fixed in 12.52 SP1 CR08
00366537 DE172890
After unlocking a user account, Policy Server fails to allow the user to log in to the application in the first attempt.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr08
Defects Fixed in 12.52 SP1 CR05
00250192 DE101595
The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr05
Defects Fixed in 12.52 SP1 CR04
Policy Server Logs in a Locked Out User
Policy Server allows the log in of a locked out user when the Enhanced AD integration is enabled.
STAR Issue: 00177871
RTC Issue: 163151/DE106953
Issue with Password Attributes
User experiences issues with the "Password expires from inactivity" and "Password expires if not changed: After Days".
STAR Issue: 00100029
RTC Issue: 157066/DE76528
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr04
Defects Fixed in 12.52 SP1 CR02
SiteMinder Returns Incorrect Smauthreasoon Code (139126) / (158072)
Symptom:
CA Single Sign-On returns smauthreasoon code 0 when Illegal characters are found in username.
Solution:
This issue has been fixed. CA Single Sign-On now returns smauthreasoon code 55 when Illegal characters are found in username.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr02
More, the AD-LDS should return the same codes as the AD, as AD-LDS is
based on the same technology as the AD :
Active Directory Lightweight Directory Services
Uses the same directory service technology as AD DS. There is a
common framework for both the network operating system (NOS)
services of AD DS and the application services of AD LDS, which
increases reusability of design and code.
https://docs.microsoft.com/en-us/previous-versions/windows/server-2008/bb897400(v=msdn.10)
Finally, you'll find here further documentation about the return codes
from AD and their mapping to the smauthreason codes :
Policy Server :: Disable Flag : SmAuthReason
https://comm.support.ca.com/kb/policy-server-disable-flag-smauthreason/kb000049509
KB : KB000122168