Symantec Access Management

 View Only
Expand all | Collapse all

Unable to enable the self password change option.

Anon Anon

Anon AnonSep 01, 2015 08:05 AM

  • 1.  Unable to enable the self password change option.

    Posted Aug 26, 2015 08:07 AM

    What I did here is created a hyperlink to the smpwservices in the after login application page. And the hyperlink contained the SMAUTHREASON=34&SMAGENTNAME=iisSampleAgent. Now when I enable the password policy, and try to login it's redirecting me to the unauthenticated user page. What could be the reason, how do I fix it?



  • 2.  Re: Unable to enable the self password change option.

    Posted Aug 26, 2015 10:00 AM

    itzAmlan

     

    What does the Policy Server Trace Log say? Have we checked the Policy Server Trace log?

     

    Creating a Link is for User Initiated Password Change. This has no bearing on why Login won't work and is a separate flow.

     

    You do suggest that Password Policy has been enabled, Did we populate the UD Attributes? If we populated then make sure smdisabled flag and passwordData fields are empty before first login (On first login they are populated by siteminder). Also ensure attributes that are listed as RW needs to have Read / Write Access for Password Policies to work.

     

    2015-08-26 09_57_31-SiteMinder Administrative UI _ Modify User Directory_ ud_sjds7 - Opera.png

     

     

    Regards

     

    Hubert



  • 3.  Re: Unable to enable the self password change option.

    Posted Aug 26, 2015 01:50 PM

    No I didn't check the trace log.

     

    When I was enabling the password policies, I have to give the user directory on which the password policy would be enabled. Earlier I left the Password Data field blank. But when enabling the password policy it asked to enter a value at the Password Data field so that the password policy could be saved, therefore I gave the name of the user directory up there.

    and since that the issue has happened.



  • 4.  Re: Unable to enable the self password change option.

    Posted Aug 26, 2015 01:56 PM

    Please check the Policy Server Trace log, it should suggest what is happening.

     

    You may use the below smtracedefault.txt to copy into your smtracedefault.txt; then enable trace logging.

     

    Snippet of C:\CA\siteminder\config\smtracedefault.txt

    components: AgentFunc/Init, AgentFunc/UnInit, AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, Server/Policy_Server_General, IsProtected, Login_Logout, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC/Sql_Statement_Begin_End, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Internal_Operation, LDAP/Ldap_Error_Messages, Fed_Server

    data: Date, PreciseTime, SrcFile, Function, TransactionName, Message, Data, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, Rule, ActiveExpr, Expression, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, AuthScheme, AuthReason, AuthStatus, Query

    version: 1.1

     

     

    Regards

     

    Hubert



  • 5.  Re: Unable to enable the self password change option.

    Posted Aug 26, 2015 01:53 PM

    You said like upon the first login the fields : Disabled Flag, and Password Data should be auto populated with values. Therefore, I need not give it a value of my own?



  • 6.  Re: Unable to enable the self password change option.

    Posted Aug 26, 2015 01:58 PM

    Correct itzAmlan

     

    However if for some reason those fields in the UserStore already are populated even before we defined them in SM User Directory Object; then there could be a problem.

     

    For e.g. I define the following - then 'userstatus' field and 'pwdData' field in backend userstore should be BLANK when I am defining it.

     

    Capture.JPG

     

    Regards

     

    Hubert



  • 7.  Re: Unable to enable the self password change option.

    Posted Aug 27, 2015 09:06 AM

    Hi Hubert,

     

    In my case, the trace log is not populating any data. I haven't checked it before even. But while configuring the ACO, I entered the parameters for the tracefile : TraceAppend : yes ; TraceFile : Yes ; TraceFileName : C:\Logs\WebAgentTrace.log. The web agent log file is getting populated with data, but not the TraceFile.

     

    Also, in the User Directory, I tried emptying Disabled Flag and the Password Data field, and then logged into the application. But I don't get, what do you mean by defining the Disabled Flag, and Password Data in the backend store. I am using JXplorer for the user directory. So where do I need to define these two attributes?



  • 8.  Re: Unable to enable the self password change option.

    Posted Aug 27, 2015 12:39 PM

    itzAmlan

     

    Did you set TRACECONFIG File, for WebAgent it should point to <WebAgent_install_home>/config/WebAgentTrace.conf.

     

    Make TraceAppend=No

     

    See an example below from SecureProxyServer ACO.

     

    2015-08-27 12_37_43-mRemoteNG - confCons.xml.png



  • 9.  Re: Unable to enable the self password change option.

    Posted Aug 28, 2015 02:24 PM

    Hi Hubert,

     

    It happened to be like, after I enabled profiling the trace log is getting populated with data. But I was not able to grasp much from the trace log. Could you just help me understand, how to troubleshoot using the trace log?

     

    In the other hand, in the directory structure(LDAP) I created two attributes for the user, by assigning them values. And explicitly defined those parameters as the blob parameters in the UserStore. Now I am not getting any unauthentication error while entering the application page. But when I am clicking on change password, it's redirecting me to an error page - http error 500.

    I searched for the same, and found like if I protect the target for the smpwservices page, it would redirect me to the smpwservices page upon click on the change password.

    Since I havenot tried protecting the target page, could you please tell me whether I am going correct or not.

     

    Thanks!



  • 10.  Re: Unable to enable the self password change option.
    Best Answer

    Posted Aug 28, 2015 02:53 PM

    itzAmlan

     

    First we need to start looking at one issue at one time. Use one thread to discuss on particular issue. As I see we are discussing two different issues but both related to Password Services.

     

    Issue-1 : When we enable Password Policy, after this login journey is failing. User are getting redirected to unauthenticated page.

     

    Issue-2 : When we click on User Initiated Password Link page, it is redirecting you to an error i.e. HTTP 500.

     

     

    Could we concentrate on ISSUE-1 and resolve that first, as ISSUE-1 is crucial for ISSUE-2 resolution i.e. ISSUE-1 has to be resolved first.

     

     

     

    Now speaking specifically about ISSUE-1.

     

    NOTE : This is a public forum, hence any information you share would be visible to the forum. Hence only do so if it is Demo Env or Dev. If it is Production Env, you'd be better off raising a support ticket with CA for CA Support Engg to look into your Env.

     

    - What make / version is your User Store ?

    - Could you insert an image of the User Directory Object from WAM UI?

    - Could you insert an image of the Password Policy Object (first two tabs) from WAM UI?

    - Could you attach you trace.log zip file

     

     

    About ISSUE-2.

     

    Kindly protect the TARGET for now. We'll get ISSUE-1 working, then check this.

     

     

     

     

    Regards

     

    Hubert



  • 11.  Re: Unable to enable the self password change option.

    Posted Aug 27, 2015 10:19 AM

    Hi Hubert,

     

    I check in the following post : https://wiki.ca.com/display/sm1252sp1/Configure+the+Policy+Server+Profiler . But still couldn't get where could I enable the profiler. Please help.



  • 12.  Re: Unable to enable the self password change option.

    Posted Aug 27, 2015 12:36 PM

    itzAmlan

     

    smconsole

     

    2015-08-27 12_35_26-mRemoteNG - confCons.xml.png



  • 13.  Re: Unable to enable the self password change option.

    Posted Aug 27, 2015 01:30 PM

    Hi Hubert,

     

    But I don't see any such console. Is the console available via the admin UI? The version of the admin UI is 12.52, and the version of the policy server is 12.51.



  • 14.  Re: Unable to enable the self password change option.

    Posted Aug 27, 2015 01:46 PM

    what OS is your policy server installed on? If it windows, open a run prompt and type 'smconsole' then hit enter. If it is non windows you'd need X11 forwarding enabled to present smconsole UI..



  • 15.  Re: Unable to enable the self password change option.

    Posted Aug 31, 2015 07:19 AM

    Hi Hubert,

     

    Here is what I did :

     

    passwd successful changed page - protected.PNG

    I created a realm for the password successfully changed message page. And added the web agent actions rule[GET,POST] to this realm(see below).

    realm-rule web agent action to protect the password change confirmation page.PNG

    created a new policy for self password change.PNG

    Created a new policy for the self password change.

    add all users under this policy.PNG

    Added all users under this policy.

    add the password realm under the new domain policy.PNG

    Added the self password change realm under this policy.

    password policy enabled.PNG

    Went to the Password Policies, and gave the redirection URL.

     

    Now in the application page, from where the user has the option to Change Password. I gave the url : http://localhost/siteminder/forms/smpwservices1.fcc?SMAUTHREASON=34&SMAGENTNAME=iis_agent&TARGET=http://localhost/pswdchng/index.htm

     

    But now it is getting redirected to a blank page.

     

    Where did I go wrong?



  • 16.  Re: Unable to enable the self password change option.

    Posted Aug 31, 2015 08:26 AM

    I think like, I have made something wrong in the authentication scheme. I have used html form template. Do I need to use any other authentication scheme?



  • 17.  Re: Unable to enable the self password change option.

    Posted Sep 01, 2015 08:05 AM

    Thanks Hubert. The issue got resolved.