Password expired in Active Directory allows Authentication and Authorization

Document ID:  TEC1618076
Last Modified Date:  06/16/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER -POLICY SERVER:SMPLC
Issue:

In a Policy server 12.52 SP1 CR1 with Microsoft Active Directory 2008 User Directory with enhanced AD integration enabled and LDAP Name space, we expect the login with an expired account to be redirected to the password change page. Instead, when we use the password expired login, we get successfully authenticated and authorized. No redirection to the password change page is done. How can we fix this ?

 

Environment:
Policy Server 12.52 SP1 CR1 User Directory Microsoft Active Directory 2008 Enhance AD integration enabled. LDAP Name space used. Fine grained password policy used on AD with Users Account Password is Expired in AD, such that user attribute is set as follows : o msDs-User-Account-Control-Computed = n = (Password_Expired) o userAccountControl =0X200 = Normal_Account
Cause:

It was found that there's a special handling for this Password Expired (data 532) case and from the code it seems that we expect the redirection to the password change page which is NOT happening. The caller of this function seems to be ignoring the nReason here and just does the user authentication based on the Boolean return value (true)

Resolution:
In order to support AD password policy to send exact authreasons as received from AD a new 

registry key has been added :

 

ADPasswordPolicyPrioritySet under HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

ADPasswordPolicyPrioritySet Type: DWord Value: 1 for enable, 0 for disable 

When this registry is set with 1 , AD password policy will be activated at SM to send the authreasons accordingly
 
This new key is available from Policy Server 12.52 SP1 CR05

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing