Symantec Access Management

Tech Tip : CA Single Sign-On :: Policy Server::x509 Cert mapping case sensitive

By Ujwol posted 07-22-2016 01:34 AM



When using x509 certificate authentication scheme, the certificate mapping is case sensitive if custom expression mapping is used.


For e.g let's say the mapping is using custom expression as below :

mail = %{E}



The certificate itself has the email address in lowercase as below:

However, if the user email address is Mixed case or UPPERCASE on the directory as below :



Then, the authentication fails with the following error on the policy server trace logs :

[SmAuthCert.cpp:6081][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Mismatch of attribute values][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[SmAuthCert.cpp:6365][SmAuthenticate][][][][CN=Kelly Wong,CN=Users,DC=ad,DC=lab][][][][][][][][][][][][][][][][][Authentication failed][][][][][][][][][][CN=Kelly Wong,CN=Users,DC=ad,DC=lab][][][][][][][][][][][][][][][][][][][][][][][][][][][][]


  • Policy Server : R12.51 CR10, R12.52 SP1 CR7, 12.6 SP2, 12.7
  • User Store : ANY LDAP


This is a known defect and engineering is working on to fix the issue.



This issue has been identified only while using custom mapping.

This issue is not there if using "Single Attribute" mapping as below.

While using "Single Attribute" certificate mapping, search is case insensitive so it works as expected.



Current Status (25/09/2017) :

The issue is still not fixed until following version :

  • R12.51 CR10
  • R12.52 SP1 CR7
  • 12.6 SP2
  • 12.7

The issue is fixed in :

  • 12.7 SP1

(Please open support ticket if an urgent fix is required)


Additional Information:

While using custom expression mapping, you will also need to set following registry :

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer, and open EnableCustomExprOnly=1

1 view



09-19-2016 06:37 PM

07-25-2016 06:23 PM

CA Internal reference #DE103045