AD password expired with siteminder change password service

Document ID : KB000053643
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

Customer Environment:

OS: windows 2003
PS: 6.0 SP5 CR15
User directory: AD in AD name apace
No password policy is defined in SiteMinder.

Problem:

GPO on the active directory restrict password life time to 6 months. User account password gets expired in AD after that.

Customer would like to recognized users who log-in after their password expires and redirect them to a change password page.

Customer reports in CR15, this function does not work.

Solution

We tested CR22 in lab, with AD user password in expired state, user will be directed to password services page by default. If you have enable Enhanced AD integration, mapped user attributes, no SiteMinder password policy is required.

Enhanced Active Directory Integration global setting from the SiteMinder Global Settings dialog box is available from the Policy Server User Interface. This option improves the integration between the Policy Server's user management feature and Password Services with Active Directory.

This enhancement synchronizes Active Directory user attributes with SiteMinder mapped userattributes.

See details in Policy Server Management Guide.

However if AD user account is expired in SiteMinder admin UI console the AD user is "Disabled -directory native". At this point nothing SiteMinder can do about it, the state is tied to AD native settings, which must be cleared by AD administrator.

The key points are:

AD in AD name apace

Enable Enhanced AD integration

User attributes are mapped under SiteMinder user directory setting.

SiteMinder password policy is not necessarily required, change password service exists with or without it.