Layer7 Access Management

Expand all | Collapse all

AD Password Services problems after upgrading to R12.52 SP01 CR05 and CR06

  • 1.  AD Password Services problems after upgrading to R12.52 SP01 CR05 and CR06

    Posted 11-16-2016 11:10 AM

    Some clients have reported Active Directory Password Services problems after upgrading to R12.52 SP01 CR05 and CR06.

    Depending upon password policy used, configuration setting and what customization might be already in place, use case scenarios may be observed as:

     

    use case: User has expired password, but is not prompted for password change, just go back to login page.  

    use case: Locked out account still allows users to try credentials.

    use case: During password change process, if new password given does not meet the minimum 8 character limit enforced by AD policy. SMAUTHREASON shows 1 every time in smaccess.log except on initial access of login page (smauthreason 0).

    use case: It takes two times (instead one) of changing password process before user can login again.

    First time changing password always fails. Some reports seeing siteminder is getting SMAUTHREASON=1.

     

    If you encounter similar problems, please engage with CA support, a dev fix might be provided which includes a few policy server library files replacement.

     

    1.      Is the issue applicable to only AD user store or others as well?

    Yes,  this is applicable only for AD user store and password policy is enabled at AD. The code that is affected is completely based on the AD error codes received.

    1.      Issue applicable from CR5 or CR6 onwards ?

    Correct, as explained there was an issue with redirection that affected and addressed with 12.52 SP01 CR06 + Devfix

    1.      What are all the possible failing scenarios, any workaround, root cause?

    Please refer to the Table#2. These are the scenarios effected.  

     

    There has been a new change since1252 SP01 CR05 and CR06 that effecting the AD Password Services as part of code effort to get appropriate smauthreason codes enhancement.

     

    Table #1

    AD Error code          

    AD Error

    1252 SP01 CR04 SMAUTHREASON

    After 1252 SP01 CR05 with Fix

    533   ERROR_ACCOUNT_DISABLED

    Sm_Api_Reason_UserDisabled   7

    Sm_Api_Reason_UserDisabled     7

    775  ERROR_ACCOUNT_LOCKED_OUT

    Sm_Api_Reason_UserDisabled   7

    Sm_Api_Reason_ExcessiveFailedLoginAttempts   24

    532 ERROR_PASSWORD_EXPIRED

    Sm_Api_Reason_PwMustChange   1

    Sm_Api_Reason_PwExpired   19

    773 ERROR_PASSWORD_MUST_CHANGE

    Sm_Api_Reason_PwMustChange   1

    Sm_Api_Reason_PwMustChange  1

     

    With these changes,  redirection of pages in case of change password are impacted. So with the complete fix 12.52 SP01  CR06+ Devfix  should work as per the below table

     

    AD Error

    R12.52 SP1 CR06 Build#2204 + DEVFIX

     

    Enhance Active Directory Integration enabled

    SmauthReason

    Redirection

    Enhance Active Directory Integration Disabled

    SmauthReason

    Redirection

    533   ERROR_ACCOUNT_DISABLED

    Sm_Api_Reason_UserDisabled    

    7

    Redirected to smpwservices.fcc

    Sm_Api_Reason_UserDisabled

    7

    Redirected to smpwservices.fcc

    775  ERROR_ACCOUNT_LOCKED_OUT

    Sm_Api_Reason_ExcessiveFailedLoginAttempts 

    24

    Redirected to smpwservices.fcc

    Sm_Api_Reason_ExcessiveFailedLoginAttempts 

    0

    Redirected to login.fcc

    532 ERROR_PASSWORD_EXPIRED

    Sm_Api_Reason_PwExpired  

    19

    Redirected to smpwservices.fcc

    Sm_Api_Reason_PwExpired  

    0

    Redirected to login.fcc

    773 ERROR_PASSWORD_MUST_CHANGE

    Sm_Api_Reason_PwMustChange  

    1

    Redirected to smpwservices.fcc

    Sm_Api_Reason_PwMustChange

    1

    Redirected to smpwservices.fcc

     



  • 2.  Re: AD Password Services problems after upgrading to R12.52 SP01 CR05 and CR06

    Posted 10-25-2017 07:36 PM

    CA Only reference for this case : DE205706

    This defect is fixed in 12.52 SP1CR8

     

    From CR08 release notes :

     

    00474687

    00597575

    DE205706

    DE237817

    Policy Server fails to prompt for a password change though the password has expired, and it accepts the credentials of the locked out user.