Connection from PS to AD LDS userStore for authentication

Document ID : KB000122168
Last Modified Date : 30/11/2018
Show Technical Document Details
Question:
We'd like to know if the Policy Server can understand and map the
return codes from LDAP AD-LDS into Siteminder smauthreason codes ?
Answer:
Indeed, the Policy Server is capable of that out of the box. 

But you have to pay attention to existing issue about this 
topic. Before the CR06, the Policy Server has issue to map correctly 
the returns codes from AD into the correct smauthreason allowing 
disable user to login among the others. 

As such, we recommand you first to upgrade the Policy Server, Policy 
Store and AdminUI to the latest 12.52SP1CR09 version : 

Defects Fixed in 12.52 SP1 CR09 

00919679    DE335297    
Policy Server incorrectly recognizes AD LDS user store as AD user store. 

00882334    DE326287    
Policy Server fails to log in users with AD LDS as the user directory. 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09 


Defects Fixed in 12.52 SP1 CR08 

00366537    DE172890    
After unlocking a user account, Policy Server fails to allow the user to log in to the application in the first attempt. 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr08 


Defects Fixed in 12.52 SP1 CR05 

00250192    DE101595    
The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced. 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr05 

Defects Fixed in 12.52 SP1 CR04 

Policy Server Logs in a Locked Out User 
Policy Server allows the log in of a locked out user when the Enhanced AD integration is enabled. 

STAR Issue: 00177871 

RTC Issue: 163151/DE106953 

Issue with Password Attributes 
User experiences issues with the "Password expires from inactivity" and "Password expires if not changed: After Days". 

STAR Issue: 00100029 

RTC Issue: 157066/DE76528 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr04 

Defects Fixed in 12.52 SP1 CR02 

SiteMinder Returns Incorrect Smauthreasoon Code (139126) / (158072) 
Symptom: 

CA Single Sign-On returns smauthreasoon code 0 when Illegal characters are found in username. 

Solution: 

This issue has been fixed. CA Single Sign-On now returns smauthreasoon code 55 when Illegal characters are found in username. 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr02 

More, the AD-LDS should return the same codes as the AD, as AD-LDS is 
based on the same technology as the AD : 

Active Directory Lightweight Directory Services 

Uses the same directory service technology as AD DS. There is a 
common framework for both the network operating system (NOS) 
services of AD DS and the application services of AD LDS, which 
increases reusability of design and code. 

https://docs.microsoft.com/en-us/previous-versions/windows/server-2008/bb897400(v=msdn.10) 

Finally, you'll find here further documentation about the return codes 
from AD and their mapping to the smauthreason codes : 

Policy Server :: Disable Flag : SmAuthReason 
https://comm.support.ca.com/kb/policy-server-disable-flag-smauthreason/kb000049509