Federation Manager Release Notes › Known Issues › User Directory Issues › Registry Change Required for r12 Upgrade When Using Active Directory (79102)

Registry Change Required for r12 Upgrade When Using Active Directory (79102)

Symptom:

If the user store configured in the UI is based on Active Directory groups (AD or ADAM), Federation Manager is not maintaining directory connections when you upgrade from Federation Manager r12 to later versions.

Solution:

Complete the following upgrade procedure if you are upgrading from Federation Manager r12 to a later version, and the Federation Users configuration in the Partnership wizard uses Active Directory (AD or ADAM) groups.

Note: Do not perform this procedure if you are installing Federation Manager for the first time or you are upgrading but were not previously connected to any Active Directories (AD or ADAM).

To maintain AD/ADAM directory connections after an upgrade

1. Upgrade from Federation Manager r12 to r12x according to the instructions in the Federation Manager Guide.
2. After the upgrade is complete, set the following registry key value to uniqueMember:

   HKEY_LOCAL_MACHE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN\groupOfUniqueNames

3. Restart the Federation Manager services according to your operating environment.
   • Windows

     Use the Federation Manager stop and start shortcuts as follows. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.

     1. Start, All Programs, CA, FederationManager, Stop services
     2. Start, All Programs, CA, FederationManager, Start services
   • UNIX

     a. Open a command window.

     b. Run the following scripts:

     federation_mgr_home/fedmanager.sh stop

     federation_mgr_home/fedmanager.sh start

     When you run the fedmanager.sh script, it sources the Federation Manager environment script, ca_federation_env.ksh.

   Note: Do not stop and start the services as the root user.

4. Log in to the Federation Manager UI.
5. For every IDP -> SP partnership that has at least one user policy based on Active Directory groups, do the following:
   1. Deactivate the partnership.
   2. Edit the partnership.
   3. In the Federation Users step of the Partnership Wizard, select Group in the User Class field for each Active Directory group entry in the list.
   4. Go to the Confirm Step of the wizard and click Finish to save the changes to the partnership.
6. Re-activate the partnership.