Unable to authenticate via SecureId due to error "Node verification failed" in SiteMinder Policy Server.

Document ID : KB000053798
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

We have siteminder policy server and ACE server on different machines. And we have discussion with ACE support team and they say that this issue is because of the client side node secret.

Policy Server shows:

-> Begin

[7211/22][Tue Apr 21 2009 15:10:14][SmAuthAce.cpp:839][INFO] SmAuthenticate: Starting AceInit
[7211/22][Tue Apr 21 2009 15:10:39][SmAuthAce.cpp:972][ERROR] SmAuthenticate:Name Lock Request has been denied by ACE/Server communication failure.

-> End

ACA server log shows: <- Begin

04/21/2009 19:39:16U --------/node1.mycompany.org ---->
04/21/2009 15:39:16L Node verification failed node1.mycompany.org

-> End

In other words client (in this case )policy server holding node secret and trying to connect ACE server with old node secret. Do you know where siteminder keeps node secret file?

Solution:

Location of the node secret file (filename: securid) is OS specific. Hence for Windows it will be in System32 directory (or wherever your ACE agent is installed) and on Unix platforms it will be in the $NETE_PS_ROOT/bin directory.

To fix this problem:

On the ACE server:

  1. Edit the Agent Host configured for the policy server and uncheck "Requires Name Lock".

  2. Uncheck "Node secret sent".

  3. Save the agent host and regenerate sdconf.rec

    On the policy server:

  4. Rename old sdconf.rec, sdstatus.12, and securid file to something else.

  5. Copy or ftp the new sdconf.rec from the ACE server to:

    $NETE_PS_ROOT/bin/ on UNIX
    system32 directory on windows

    on the policy server in the Binary format. Make sure that the siteminder user account has read/write permissions to this file.

  6. Double check the environment variables VAR_ACE and USR_ACE are both pointing to:

    $NETE_PS_ROOT/bin/ on UNIX
    system32 directory on windows

  7. Restart siteminder policy server.

    Try to autenticate a user, at this point if everyting is ok then the secureid file will be created with the new node secret. The file sdstatus.12 will be created to with the last status.