Policy Server with Active Directory and Password Policies interaction
search cancel

Policy Server with Active Directory and Password Policies interaction

book

Article ID: 48927

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Running Policy Server with Active Directory as User Store, by using Password Services, when the user sets a new password through SiteMinder, the native Active Directory password policy for re-using the old password is not applied, so the user can set an old password on the SiteMinder side, but not when setting it by Active Directory.

 

Resolution

 

The problem comes from the fact both password policies apply, ie. SiteMinder and Active Directory.

First, consider that :

"The directory server's account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that." (1).

Second, from documentation, disable the Directory Password Services if SiteMinder should manage it (2):

  "If you plan to implement password policies in your enterprise, consider the following items:

   - SiteMinder requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.
    
   [...]

   - If your user directory has a native password policy, this policy must be less-restrictive then the password policy or it must be disabled.
     Otherwise the native password policy accepts or rejects passwords without notifying SiteMinder. Therefore, SiteMinder cannot manage those passwords."

As SiteMinder depends on the behavior of the User Store, the attributes managed by the Policy Server with non-enhanced and AD enhanced mode here to manage the SiteMinder Password Services with Active Directory (3):

So to handle expired passwords, and locked or disabled fields, make a match between the Active Directory (AD) Attribute with the SiteMinder ones.

Further readings:

Using Enhanced Active Directory Integration, some prerequisites need to be set (4).

Note that SiteMinder delivers Advance Password Services modules that give finer management of SiteMinder Password Services with Active Directory (5)(6).

 

Additional Information

 

(1)

    User Store Disable Flag : Behavior among Active Directory AD and LDAP
    

(2)

    Password Policy Considerations
    

(3)

    Managed Active Directory (AD) native attributes in the Policy Server
    

(4)

    Enhanced Active Directory integration pre-requisites for Policy Server
    

(5)

    Microsoft Active Directories

      APS does support Microsoft Active Directory and this support is
      provided using its LDAP interface. However, because Active
      Directory deviates so extensively from the LDAP specification,
      APS contains a significant amount of special processing and thus
      Active Directory is discussed in its own section.

      APS supports Microsoft Active Directories running in LDAP mode
      only.

    

 (6)

    Advanced Password Services Configuration
    

Attachments

1558534991865TEC589990.zip get_app
Powered by Wolken Software