Some clients have reported Active Directory Password Services problems after upgrading to R12.52 SP01 CR05 and CR06.
Depending upon password policy used, configuration setting and what customization might be already in place, use case scenarios may be observed as:
use case: User has expired password, but is not prompted for password change, just go back to login page.
use case: Locked out account still allows users to try credentials.
use case: During password change process, if new password given does not meet the minimum 8 character limit enforced by AD policy. SMAUTHREASON shows 1 every time in smaccess.log except on initial access of login page (smauthreason 0).
use case: It takes two times (instead one) of changing password process before user can login again.
First time changing password always fails. Some reports seeing siteminder is getting SMAUTHREASON=1.
If you encounter similar problems, please engage with CA support, a dev fix might be provided which includes a few policy server library files replacement.
Yes, this is applicable only for AD user store and password policy is enabled at AD. The code that is affected is completely based on the AD error codes received.
Correct, as explained there was an issue with redirection that affected and addressed with 12.52 SP01 CR06 + Devfix
Please refer to the Table#2. These are the scenarios effected.
There has been a new change since1252 SP01 CR05 and CR06 that effecting the AD Password Services as part of code effort to get appropriate smauthreason codes enhancement.
AD Error code
1252 SP01 CR04 SMAUTHREASON
After 1252 SP01 CR05 with Fix
With these changes, redirection of pages in case of change password are impacted. So with the complete fix 12.52 SP01 CR06+ Devfix should work as per the below table
R12.52 SP1 CR06 Build#2204 + DEVFIX
Enhance Active Directory Integration enabled
Enhance Active Directory Integration Disabled
Redirected to smpwservices.fcc
Redirected to login.fcc
CA Only reference for this case : DE205706
This defect is fixed in 12.52 SP1CR8
From CR08 release notes :
Policy Server fails to prompt for a password change though the password has expired, and it accepts the credentials of the locked out user.