Symantec Access Management

Using Basic Password services,

Developed a HTML form that does the POST (Old Password + NEW password + CONFIRM Password)to the smpwservices.fcc

Can we bypass the Old password and only post the NEW and CONFIRM password.

Idea is,

When the user enter his credentials, Password policy is triggered and he is redirected to change password page.

I don't want the user to enter his Current Password again in the change password form.

I tried with a html form posting to smpwservices.fcc with out Current password and it doesn't worked.

For valid authentication, Do we require both username + old_password? Is there a way to bypass the Old password in Change password page.

Thanks.

There is no way we should bypass the old password.

It is a security check. Before the New Password is update. SiteMinder checks the authenticity of the user changing the password by authenticating the user using USERNAME and OLDPASSWORD. If the OLDPASSWORD matches for the USERNAME in the Identity Store only then SiteMinder updates the NewPassword.

The User Enters his username and password in login page.

The User enters his username and old password in change password page.

These are 2 independent transactions. SiteMinder does not store the password on its side. So the application needs to store it securely and replay it after collecting the New Password. That's the only way I see this done.

Right - for security reasons you should not bypass the old password, also SSO does not have the ability to do so

Thanks  Dennis, For the valuable information.

When the user enter the Wrong Old Password and follow the rules set in the password policy for changing the password.

No error message is displayed to the user.

Do we need to display this error manually by checking the password data or SMUSRMSG cookie will display this error.

Remaining all errors are displayed appropriately by the SMUSRMSG cookie.

Is there any registry entry that I need to set for this scenario to  display error message to the user.

Thanks.

Hi Krishna,

Please try following :

Enable the DisallowForceLogin registry key, which is located at HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer.

DisallowForceLogin

Redirects users to the Password Change Information screen to re-enter the current password when the change request contains an invalid current password.

KeyType: REG_DWORD

Value: 0 (disabled) or 1 (enabled)

Default: 0 (disabled)

Regards,

Ujwol Shrestha

Hi Krishna chaitanya dhanekula ,

How did you go about this ?

Regards,

Ujwol

Hi Krishna,

If you want to display error message,  you can make use of smpwservices.unauth which located same path as smpwservices.fcc. In smpwservices.fcc, specify the @smretries

Specifies the maximum number of login attempts allowed.

If user exceed the retry, it will redirect to smpwservices.unauth. You can customize smpwservices.unauth on the error message that you want to display.

Hope this helps.

Regards,

Kar Meng