I cannot log in to Adminui Directly after Configuring Adminui External Authentication Store

Document ID : KB000040150
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

I Cannot log in to Adminui Directly after Configuring Adminui External Authentication Store

After configuring adminui external authentication store for the first time, a user cannot log in to the adminui with either:
1.) the siteminder superuser password
2.) the superuser specified during the configuration
3.) or any account in the directory just configured


Environment:

All versions of Adminui that support external admin store.
All external authentication store directories.

Cause:

The DisableState field, required in the external authentication store setup, is a CA Single Sign On(SiteMinder) managed field and must be configured to use an EMPTY or NON externally managed field.
So in short, no pre-existing data should already exist in this field before you specify this in the external authentication store configuration as CA Single Sign On(SiteMinder) stores user info in this field.
The only exception to this is if you use the same field for DisabledState other external authentication stores.

Resolution/Workaround:

If you are currently in this situation, you are locked out of the adminui.
This requires the following set of steps to get you back into the adminui so you can re-do the external authentication store configuration wizard.

1.) Stop the Administrative UI Service.
2.) Delete the Adminui data folder
This is located under <InstallLocation>\CA\Siteminder\adminui\server\default\ or <InstallLocation>\CA\Siteminder\adminui\standalone\
3.) Re-register the adminui at the policy server box using command line and running:
XPSRegClient siteminder:yourpassword -adminui-setup
Note: Substitute the SiteMinder superuser password for "yourpassword" above.
4.) Start adminui service.
5.) Log in to adminui using credentials in step 3.
6.) In the adminui, restart the External Authenitcation Store Wizard.

Once you are back in the wizard, when you get to the disabledstate make sure that you use a field in your LDAP like JPEGPhoto or LicencePlate(assuming they are not actually populated) for the DisabledState field in the external authentication store setup wizard.
If an empty field does not exist, please have your LDAP Administrator create one.

CA Single Sign On(SiteMinder) will use this field to store information about the user account.
Once you have configured this, please let admins know that no other data can be stored in this filed, otherwise you will end out locked out again.