Symantec Access Management

Tech Tip : CA Single Sign-On : Connection from PS to AD LDS userStore for authentication

  • 1.  Tech Tip : CA Single Sign-On : Connection from PS to AD LDS userStore for authentication

    Broadcom Employee
    Posted 11-30-2018 07:10 AM

    Question:

     

    We'd like to know if the Policy Server can understand and map the
    return codes from LDAP AD-LDS into Siteminder smauthreason codes ?

     

    Answer:

     

    Indeed, the Policy Server is capable of that out of the box.

    But you have to pay attention to existing issue about this
    topic. Before the CR06, the Policy Server has issue to map correctly
    the returns codes from AD into the correct smauthreason allowing
    disable user to login among the others.

    As such, we recommand you first to upgrade the Policy Server, Policy
    Store and AdminUI to the latest 12.52SP1CR09 version :

     

    Defects Fixed in 12.52 SP1 CR09

     

    00919679 DE335297
    Policy Server incorrectly recognizes AD LDS user store as AD user store.

     

    00882334 DE326287
    Policy Server fails to log in users with AD LDS as the user directory.

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09

     

    Defects Fixed in 12.52 SP1 CR08

     

    00366537 DE172890
    After unlocking a user account, Policy Server fails to allow the user to log in to the application in the first attempt.

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr08

     

    Defects Fixed in 12.52 SP1 CR05

     

    00250192 DE101595

     

    The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr05

     

    Defects Fixed in 12.52 SP1 CR04

     

    Policy Server Logs in a Locked Out User
    Policy Server allows the log in of a locked out user when the Enhanced AD integration is enabled.

    STAR Issue: 00177871

    RTC Issue: 163151/DE106953

     

    Issue with Password Attributes
    User experiences issues with the "Password expires from inactivity" and "Password expires if not changed: After Days".

    STAR Issue: 00100029

    RTC Issue: 157066/DE76528

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr04

     

    Defects Fixed in 12.52 SP1 CR02

     

    SiteMinder Returns Incorrect Smauthreasoon Code (139126) / (158072)
    Symptom:

    CA Single Sign-On returns smauthreasoon code 0 when Illegal characters are found in username.

    Solution:

    This issue has been fixed. CA Single Sign-On now returns smauthreasoon code 55 when Illegal characters are found in username.

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr02

     

    More, the AD-LDS should return the same codes as the AD, as AD-LDS is
    based on the same technology as the AD :

     

    Active Directory Lightweight Directory Services

     

    Uses the same directory service technology as AD DS. There is a
    common framework for both the network operating system (NOS)
    services of AD DS and the application services of AD LDS, which
    increases reusability of design and code.

     

    https://docs.microsoft.com/en-us/previous-versions/windows/server-2008/bb897400(v=msdn.10)

     

    Finally, you'll find here further documentation about the return codes
    from AD and their mapping to the smauthreason codes :

     

    Policy Server :: Disable Flag : SmAuthReason

    https://comm.support.ca.com/kb/policy-server-disable-flag-smauthreason/kb000049509


    KB : KB000122168