Hi Marco,
Just side note in that thread :
You mentioned :
"Is there a way to trigger password changes for expired passwords"
SiteMinder handles the status on the account state, not on the password
state. You added :
"When user has password expired it will be redirected to
smpwservices.fcc with smauthreason = 19. I tried also to use IAM
password service but the result is the same."
The account status should be set with a value that will triggered the
desired behavior and there are some limitation. In order to have full
control on the behavior, you should configure SiteMinder and Active
Directory in order to have only active policies about password and
account status managed by Siteminder.
ref.:
Policy Server :: Active Directory : Password Policies
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=48927Further reading on the topic :
Integrating SSO with Microsoft Active directory
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=98912I hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 09-02-2019 03:18 PM
From: Marco Trucillo
Subject: Users with Expired Password can't Change their Password
Hi,
I have siteminder 12.8sp2. I use an Active Directory (w2K12) as UserStore. Active Directory has a password policy for expired password.
When passowrd expire in Active Directory the user is redirected to smpwservices.fcc with smauthreason = 19 and get a message that say that password is expired and must contact the administrator.
If I manually set for the user pwdLastSet attribute to 0 instead the user is redirected to smpwservices.fcc with smauthreason = 20 and get a form to change password.
I tried to set password policy even in siteminder (Disable user option it is not set and force password change option is set) but the behavior is the same. When user has password expired it will be redirected to smpwservices.fcc with smauthreason = 19.
I tried also to use IAM password service but the result is the same.
In my your user directory configuration, I use a custom attribute for password Password Data. But the behavior is the same even if I delete this mapping.
It seems that siteminder does not allow changing passwords when they expire in active directory.
1 what do you think ?
2 Where am I doing wrong ?
3 Is there a way to trigger password changes for expired passwords?
Thanks in advance
Marco