How to stop processing authentication from other user stores configured in the domain even if it hits a disabled user?

Document ID : KB000051159
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Policy Server used to stop processing Authentication to other User Stores, once user disabled status is returned. Now this behavior can be changed by sertting a new Registry setting 'ReturnOnDisabledUser'.

Solution:

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create a back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.

A registry setting 'ReturnOnDisabledUser' has been added that will decide on weather Policy Server will continue to process authentication to other user stores if it hits a disabled user.
Add the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\ReturnOnDisabledUser = 1
ReturnOnDisabledUser = 1:
On finding the user disabled in first user store, Policy server would not look into other configured UDs and declare the user as "Not Authenticated".
ReturnOnDisabledUser = 0:
If the user is found disabled, Policy Server will continue to lookup through the other configured user stores and mark the status as "Not Authenticated" only if user is disabled in all user stores

This is applicable for LDAP user stores, from siteminder policy server version-R12 SP2 CR1 onwards.