Previous Topic: General ConsiderationsNext Topic: Defects Fixed in 12.5


Known Issues

Known Issues in 12.51

The following are known issues in 12.51:

Update of Policy Store Encryption Key Not Working Properly (171497, 171365)

Symptom:

My Policy Servers cannot connect to my policy store after I updated the encryption key for my policy store.

Solution:

If this issue occurs, contact our technical support department for help.

More information:

Contact CA Technologies

Reset the r12.x Policy Store Encryption Key

Error Message When Installing the Reports Server on Red Hat Linux 6 32-bit System (169884)

Symptom:

The cabi-linux-3_3_0_2 installer for a Red Hat Linux 6 32-bit machine is expecting a 64-bit library. The following error message displays during the installation of the Report Server:

******************************
Linux: Your system is missing required components (STU00120):
******************************
Missing patch: libXext-1.1-3.el6.x86_64
Missing patch: libXext-devel-1.1-3.el6.x86_64

If you continue your installation may not work correctly. (STU00109)
Please press Enter to continue...

Solution:

Ignore the error message and proceed with the installation. The Reports Server successfully installs despite this error message.

SAML1.1 Partnership Artifact Transaction Fails With Delegated Authentication

The SAML1.1 partnership artifact transaction fails with delegated authentication when "NAME" is used as the query parameter.

For the artifact transaction to be successful, perform one of the following two workarounds:

Database Truncation Error Occurs in the Audit Table

Symptom:

When the DN of the LDAP directory is greater than 64 characters, the database truncation error occurs in the Audit table.

Solution:

You can resolve this issue in one of the following ways:

RSA SecureID Auth Scheme Not Supported in FIPS Mode

The Policy Server in FIPS mode on Solaris 11 is not supported for the RSA SecureID HTML form authentication scheme.

Memory Growth Exists During Performance Tests

Symptom:

When text-based audit logging is performed during performance tests, memory growth exists in the Policy Server.

Solution:

To resolve the issue, perform the following steps:

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports.
  2. Add and enable the following registry entries:
    TxtLogBacklogBufferSize

    Defines the maximum size in MB of the total queued access log entries.

    Default: 500 MB

    TxtLogBacklogWaitTime

    Defines the maximum time in seconds a thread waits for space in the text log queue when the text log queue is full.

    Default: 10 seconds

    The memory growth is restricted.

DSN Names with Non-ASCII Characters Not Supported

Only English characters can be used in Data Source Names (DSN) for ODBC databases that are used as a CA SiteMinder® user, policy, or session store.

Only English is Supported as a Certificate Subject (167597)

Symptom:

In the Administrative UI, the Generate Certificate Signing Request flow supports only English characters in the certificate subject (issuer DN, org, and user).

Solution:

Import a certificate that has the non-English characters in the certificate subject that is already signed, outside of the Generate Certificate Signing Request flow.

AttributeType Not Registered Error in the Administrative UI Log

On installing the Administrative UI, the Administrative UI log shows an error message that the AttributeType has not been registered. The Administrative UI uses ApacheDS which causes this error. You can ignore this error message.

Cannot Specify Non-English Path to Install Administrative UI

You cannot specify local (non-English) characters in the installation path of the Administrative UI.

Local Characters in 4.x Agent Names Not Supported in the FSS Administrative UI

Symptom:

I cannot log in to the FSS Administrative UI.

Solution:

The FSS Administrative UI could possibly have a 4.x agent name with local (non‑English) characters. The FSS Administrative UI does not support the use of local (non‑English) characters in 4.x Agent names.

Objects that Support Only English-Language Characters

Although CA SiteMinder® 12.51 is internationalized, the following objects support English-language (US-ASCII) characters only:

The smldapsetup Utility Fails

The smldapsetup utility fails in the following cases:

Report Without Data (145002)

Symptom:

My report has no data. I did not see an error message.

Solution:

This problem occurs if the end time for the report occurs earlier the start time for the report. Verify that the end time occurs later than the start time and run the report again.

First Tab in Group Appears in Administrative UI When Switching from View to Modify (146508)

Symptom:

I was viewing an object in the Administrative UI, but after I clicked Modify, the first tab appeared instead of the tab I was viewing.

Solution:

The first tab in a group appears after clicking Modify. This behavior is expected.

OCSPUpdater Does Not Support the SHA-224 Algorithm (150477,150474)

The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.

smpolicysrv_snmp.log Not Generated (147959)

If SNMP is configured for auditing and the Policy Server fails to start–up, CA SiteMinder® generates the SmStartupEvents.audit file. However, no SNMP events are generated. CA SiteMinder® records the start–up events in the reference log file.

Report Server Configuration (150327,119313)

With CA SiteMinder® 12.51, you cannot configure the report server on a non–default port. The report server requires port 6400.

Browser Refresh and Back Buttons Cause Resubmission of Data (149633)

Symptom:

When you select the browser refresh or back button, the dialog where you have entered values gets resubmitted. The repeat operation puts the object that you are configuring into an invalid state.

Solution:

Avoid using the refresh and back buttons on the browser when using the Administrative UI.

Agent Discovery and IIS Web Agents (134318)

If a web agent is installed on a Microsoft IIS web server, the agent discovery feature does not identify the agent for the first−time until the agent intercepts a user request and passes it to the Policy Server.

Subsequent updates to the timestamp of the agent instance are dependent on how IIS is configured. If IIS is configured to shut down idle worker processes, the timestamp is not updated until the web server receives a subsequent request.

This is normal expected behavior. The behavior is a result of how the IIS web server functions.

Uninstalling the Report Server Leaves Files and Registry Entries

Valid on Windows

Symptom:

When I uninstall SAP BusinessObjects Enterprise, some files and registry entries remain.

Solution:

These items are left behind deliberately. These items are required if a user wants the information available for a new installation.

To remove the files and registry entries on Windows 32–bit platforms

  1. After uninstalling SAP BusinessObjects Enterprise, delete all files in the installation directory.

    Note: The default installation directory is C:\Program Files\CA\SC\CommonReporting3.

  2. Delete the following registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\Shared\CommonReporting3
    HKEY_CURRENT_USER\Software\Business Objects
    HKEY_USERS\.DEFAULT\Software\Business Objects
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120SIASIANODENAME
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120MySQL
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOE120Tomcat
    HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun
    2.0\BOE120SIA<SIANODENAME>HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\BOE120Tomcat
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\INSTALLDIR
    

    The leftover files and registry entries are removed.

To remove the files and registry entries on Windows 64–bit platforms

  1. After uninstalling SAP BusinessObjects Enterprise, delete the following directory:

    installation_directory\CommonReporting3.

    Note: The default installation directory is C:\Program Files(x86)\CA\SC\CommonReporting3.

  2. Delete the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Business Objects
    

    The leftover files and registry entries are removed.

Cache Time Limit while Creating a Response Attribute

While creating a response attribute in a response group, you can configure a time for which the cache is valid. Although the Administrative UI lets you enter any value, the maximum time allowed is 3600 seconds.

Active Directory Synchronization (115248)

When integrating Microsoft Active Directory with SiteMinder, Active Directory user stores that are clustered or configured for round robin load balancing may not synchronize correctly between each use. As a result, some fields may not behave as expected. The unexpected behavior is associated with known Active Directory synchronization limitations.

Contact Microsoft to resolve problems associated with replication and synchronization.

STAR issue: 19249325–01

Windows Server 2008 System Considerations

For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:

Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.

To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system

  1. Right–click the executable and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The wizard starts.

To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system

  1. Right–click the shortcut and select Run as administrator.

    The User Account Control dialog appears and prompts you for permission.

  2. Click Allow.

    The Policy Server Management Console opens.

To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system

  1. Open your Control Panel.
  2. Verify that your task bar and Start Menu Properties are set to Start menu and not Classic Start menu.
  3. Click Start and type the following in the Start Search field:
    Cmd
    
  4. Press Ctrl+Shift+Enter.

    The User Account Control dialog appears and prompts you for permission.

  5. Click Continue.

    A command window with elevated privileges appears. The title bar text begins with Administrator:

  6. Run the CA SiteMinder® command.

More information:

Contact CA Technologies

Oracle RAC Propagation Window Results in CA SiteMinder® Errors

Symptom:

The Oracle RAC nodes propagate changes within 7 seconds. CA SiteMinder® could read and write objects to a policy store, user store, session store, or audit store more often. As a result, the default Oracle RAC propagation window can result in CA SiteMinder® errors. These CA SiteMinder® errors occur because the write operation was made into one node and the read operation was made to another node.

Solution:

Configure the following setting in the Oracle RAC cluster:

MAX_COMMIT_PROPAGATION_DELAY=0

Note: For more information about configuring this setting, see the Oracle documentation.

Policy Server may Fail to Insert Audit Events into the Audit Database

Symptom:

Under heavy load, the Policy Server may fail to insert queued audit events into the audit store. If the failure occurs, the CA SiteMinder® Policy Server log (smps.log) displays the following error:

[INFO] Failed attempt to bulk insert audit message: Code: -1044. DB Code: 2

Solution:

Two registry keys determine when the Policy Server inserts audit events into the audit database: SQLBulkInsertFlushInterval and SQLBulkInsertFlushRowCount:

Modify the SQLBulkInsertFlushRowCount registry key to resolve the error message.

To modify the registry key

  1. Access the Policy Server host system and do one of the following:
  2. Increase the value of the SQLBulkInsertFlushRowCount registry key.

    Increase the value to be at least twice as large as the number of audit events that were created, per second, when the error appeared in the CA SiteMinder® Policy Server log.

    Example: If 1,500 audit events occurred when the error appeared, increase the value to 3,000.

  3. Do one of the following:
  4. Restart the Policy Server.
Policy Server Performance with a Sun Java System Directory Server EE Policy Store

Symptom:

The Policy Server takes an exceedingly long time to start when version 6.0 of Sun Java System Directory Server EE is functioning as the policy store.

Solution:

A known indexing issue with version 6.0 results in the performance problem. Regenerate the existing policy store indexes.

Note: Version 6.3.1 of Sun Java Systems Directory Server EE contains fixes that affect the behavior of indexes. These fixes prevent the problem.

Important! The suffix DN is unavailable when you re–index the policy store.

To re–index the policy store

  1. Log into the directory server host.
  2. Navigate to the directory_server_install\bin and run the following command:
    dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory -t xpsParameter -t xpsIndexedObject
    -t xpsTombstone instance_path policysvr4
    
    directory_server_install

    Specifies the Sun Java System Directory Server EE installation path.

    instance_path

    Specifies the path to the directory server instance functioning as the policy store.

    Note: For more information about dsadm command, see your vendor–specific documentation.

  3. Restart the directory server instance.
Sun Java System Directory Server EE Logs Warn that the Search is Not Indexed

Symptom:

I have configured version 6.3.1 of Sun Java System Directory Server EE as a policy store. The directory logs contain warnings stating that the search is not indexed.

Solution:

This is expected behavior and CA SiteMinder® performance is not affected. Restart the directory server instance to stop the warnings.

Searches for Many Policy Objects (63721)

When searching on many policy objects using the Administrative UI, the connection between the Administrative UI and the Policy Server can time out, the Policy Server tunnel buffer can become corrupt, or both. In such cases, the Administrative UI displays a connection timeout error and no search results are returned. To eliminate this problem, adjust the Administrative UI Policy Server connection timeout and create a registry key for the Policy Server tunnel buffer size.

To adjust the Policy Server connection timeout

  1. Log in to the Administrative UI.
  2. Click Administration, Admin UI, Modify Administration UI Connection, Search to open the Policy Server connection object.
  3. Select the appropriate Policy Server and click Submit.
  4. Set the Timeout field in the Advanced section to a large value, such as 2,000 seconds.

The Policy Server connection timeout is now increased.

To create a registry key for the tunnel buffer size

  1. Create the following Policy Server registry key:

    HKLM\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer\
    Max AdmComm Buffer Size

  2. Set this registry key to a large value, such as 2,097,000 KB.
  3. Save the changes and exit the registry.

Note: Restart the Administrative UI if these symptoms persist following the connection timeout and buffer size changes.

XPSExport Creates Read Only File (65035)

XPSExport creates read only output XML files, which XPSImport cannot use. To correct this problem, change the permissions on the output XML file to read/write before running XPSImport.

Windows LDAP Driver Version and FIPS Support

The Policy Server and the Windows LDAP directory drivers for policy stores and user stores have a configuration limitation that is related to FIPS 140.

When a Windows Policy Server is configured for FIPS-only operation, it does not restrict SSL to FIPS–only algorithms. This behavior occurs when the following conditions are met:

The Policy Server is using LDAP–over SSL for a policy store and a user store.

Customers that must observe all FIPS-140 algorithm restrictions can modify the SSL configuration files and can deploy FIPS-compliant certificates.

Reports and CA SiteMinder® Performance

Under certain circumstances, running analysis and audit-based reports may slow CA SiteMinder® performance. We recommend analyzing the load patterns in your environment to determine the best time to run reports.

IPv6 ODBC Data Sources

Do not use brackets around the IP address when using IPv6 ODBC data sources or the connection fails.

Example: use fec0::9255:20c:29ff:fe47:8089 instead of [fec0::9255:20c:29ff:fe47:8089]

Note: More information on IPv6-supported databases exists in the CA SiteMinder® Platform Support Matrix.

Searching CertSerialNumbers in a Custom Certificate Mapping Fails (59352)

Symptom:

(LDAP) The default Policy Server behavior is to treat a CertSerialNumber as a broken string of numbers. This behavior causes a custom certificate mapping to fail if the user directory stores the CertSerialNumber as an unbroken string of numbers. The Policy Server fails to lookup the user because the default LDAP search contains spaces.

Solution:

Enable the NoSpacesinCertNumbers registry setting. Enabling the registry setting causes the Policy Server to treat certificate serial numbers as an unbroken string of numbers for all serial number comparisons.

Location: HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/PolicyServer/NoSpacesInCertSerialNumbers

Values: 0 (disabled) 1 (enabled)

Default Value: 0

Mixed Certificate-Based Authentication Schemes (27997)

The following authentication schemes are affected by the value of the Web Agent parameter for FCC Compatibility Mode (FCCCompatMode):

Note: For more information about how FCC Compatibility Mode affects the listed authentication schemes, see the Web Agent Configuration Guide.

Password Change Fails if UserDN Equal to or Greater than 1024 Characters (52424)

A password change fails and the user receives an error message prompting them to contact the Security Administrator or Help Desk if the combination of the new password; old password; and user identity, which is comprised of the userID, Client IP and time stamp is equal to or exceeds 1024 characters.

Passwords for User Accounts Stored in Active Directory cannot be Locked (48125)

CA SiteMinder® continues to let users change their passwords when the “User cannot change password" feature is enabled for the accounts.

Linux Policy Server Does Not Delete Oracle Session Store Sessions (39143)

Symptom:

A Linux Policy Server may not immediately delete sessions from an Oracle session store when the idle timeout setting for the realm is reached.

Solution:

The Policy Server does begin to delete sessions shortly after the idle timeout setting is reached. For example, if the idle timeout setting is 30 minutes, the Policy Server may begin deleting sessions at 45 minutes.

Single Logout Services Log Errors if ODBC/SQLError Component Enabled (41324)

If the ODBC/SQLError component is enabled in the Policy Server trace log, Single Logout Services can cause the following errors to be written to the trace log:

[13:42:44.0] [CSmDbODBC.cpp:189] [CSmDbConnectionODBC::MapResult] [] [][-1] [Microsoft] [ODBC]

The error is expected behavior. The data is ultimately written to the session store database.

Manually Create the webadapter.properties File (72353)

Problem:

The file webadapter.properties is not created in ServletExec's configuration folder, as expected. As a result, OneView Monitor does not work.

Solution:

After configuring OneView Monitor on an RHAS 4.0 platform with a supported web server, manually create the webadapter.properties file in ServletExec's configuration folder. The ServletExec adapter uses the properties in this file to rout HTTP requests from the web server to a ServletExec Application Server (AS) instance.

The webadapter.properties file contains the following properties:

servletexec.aliasCheckInterval

Specifies a minimum number of seconds for the ServletExec adapter to poll the ServletExec AS instance.

Note: Setting this property to a positive number ensures that the ServletExec adapter polls the AS instance for the specified interval of time. As a result, the adapter is automatically updated when the instance's web application data is modified.

Examples:

servletexec.aliasCheckInterval=10

servletexec.aliasCheckInterval=-1

Use this value to disable polling.

instance_name

Specifies the name of a ServletExec AS instance.

servletexec.instance_name.hosts

Specifies one or more host names or IP addresses separated by commas.

Note: These are the hosts for which the specified ServletExec AS instance is configured to process requests.

Examples:

servletexec.instance_name.hosts=www.abc.com:9090,www.ca.com

servletexec.instance_name.hosts=192.168.200.17,192.168.200.43:8000

servletexec.instance_name.hosts=all

Specifies that this ServletExec AS instance is configured to process requests from all hosts.

servletexec.instance_name.instances

Specifies the IP address and port number of a ServletExec AS instance.

Note: This IP address and port number are used by the ServletExec adapter when forwarding HTTP requests from the web server to the specified ServletExec AS instance. Each instance must have a unique IP address/port number pair.

Example:

servletexec.instance_name.instances=127.0.0.1:8888

Specifies default values for the IP address and port number.

servletexec.instance_name.pool-increment

Specifies the number of connections that can be added to the connection pool when a connection is needed and the pool is empty.

Note: These connections are used by the ServletExec adapter to communicate with the specified ServletExec AS instance.

Example:

servletexec.instance_name.pool-increment=5

servletexec.instance_name.pool-max-idle

Specifies the maximum number of idle connections that can be present in the connection pool at any one time.

Note: This number applies to the connections that are used by the ServletExec adapter to communicate with the specified ServletExec AS instance.

Example:

servletexec.instance_name.pool-max-idle=10

Using the webadapter.properties file, the ServletExec adapter applies the following algorithm to each HTTP request:

  1. Locate all ServletExec AS instances that are configured for the host specified in the HTTP request.
  2. Find a match between the URL in the HTTP request and the .instances property of one of the instances located in step 1.
  3. Forward the HTTP request to the resulting ServletExec AS instance.
Edit or Delete Responses and Response Groups

Problem:

Responses and response groups cannot be edited or deleted in the context of a Create Domain or Modify Domain task.

Solution:

Edit and delete responses and response groups by clicking the Policies tab, Domains, and Response or Response Group.

Enterprise Policy Management (EPM) Limitations

Each EPM application can have multiple resources that are associated with it. However, each resource can have only one response that is associated with it.

Password Change Behavior with Active Directory (AD) User Stores (82607)

Setting the password change flag for a particular user in an Active Directory (AD) user store invalidates the user’s old password. When the password change flag is set, entering any password on the login dialog redirects the user to the password change dialog. To create the new password, however, the user must match the old password in the field on the password change dialog.

This behavior results from password policies that are part of the AD user store and not from SiteMinder password policies and cannot be changed. Because the policies are integral to the AD user store, changing the namespace from AD to LDAP has no effect on this behavior.

Policy Analysis Reports Return No Results (82275)

Valid for Active Directory user directory connections configured over the LDAP namespace.

Symptom:

My Policy analysis reports are not returning user records.

Solution:

Use the Administrative UI to define an alias mapping between the inetOrgPerson attribute and the respective attribute in Active Directory.

Example: If the respective attribute is “user”, create an alias attribute mapping named inetOrgPerson and define the alias as “user”.

Note: For more information on attribute mapping, see User Attribute Mapping in the Policy Server Configuration Guide.

Oracle Issues

The following Oracle issues exist:

Administrative UI and Oracle Policy Store Objects (65782)

When you are using an Oracle policy store and you make changes to policy store objects in the Administrative UI, the changes are effective immediately; however, they may not be visible in the Administrative UI for up to 5 minutes.

SiteMinder Query Timeout and Oracle User Directories (68803)

The SiteMinder Query Timeout is not supported when the Policy Server is connected to an Oracle user directory. You may encounter this limitation when the Oracle response time is very slow.

Policy Server Issues

The following Policy Server issues exist:

Policy Server May Fail to Start due to a Dynamically Updated system_odbc.ini File (55265)

Symptom:

(Linux) The Policy Server may fail to start because the system_odbc.ini file is dynamically updated.

Solution:

After the Policy Server installation, save the file as Read-Only.

Error Message Appears When Starting the Policy Server (127332) (135676)

Symptom:

If your Policy Server and policy store are operating in mixed-mode during an upgrade to 12.51, the following error message appears after the Policy Server starts:

[CA.XPS:LDAP0014][ERROR] Error occurred during "Modify" for
xpsParameter=CA.XPS::$PolicyStoreID,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=PSRoot
,text: Object class violation
[CA.XPS:XPSIO024][ERROR] Save Policy Store ID failed.

Solution:

This message is expected behavior and does not affect the CA SiteMinder® environment.

This message occurs because the r6.x policy store is not upgraded. Part of the upgrade process includes importing the policy store data definitions. The error appears in the CA SiteMinder® Policy Server log because the data definitions are not available in the policy store.

STAR issue: 19759432–01 and 20134656–01

Solaris Issues

The following Solaris issues exist:

Password Screen does not Prompt for Multiple SafeWord Authenticators (56766)

Users are unable to access protected resources when a SafeWord authentication scheme requires both fixed and token-based authenticators. The password screen only prompts users for one authenticator. Therefore, the user is unable to provide both types of credentials and cannot access the protected resource.

Federation Encryption Issue with JCE on Solaris (71293)

Symptom:

An issue occurs with the Java Cryptography Extension (JCE) and legacy federation (formerly Federation Security Services) encryption. This issue happens when an legacy federation Policy Server on Solaris is using certain versions of the JRE. When the Policy Server is acting as an IdP, SAML assertion encryption could possibly fail. If the Policy Server is acting as an SP, SAML assertion decryption could possibly fail.

Solution:

Modify the java.security file in jre_root/lib/security so that the sun.security.provider.Sun provider is registered as the first provider.

Note: Other supported platforms with different versions of Java could possibly exhibit this problem. Apply the same solution.

OAuth and OpenID Authentication Scheme Problems on Solaris (167716)

Symptom:

Solution:

Modify the java.security file so that the sun.security.provider.Sun provider is registered as the first provider in the list. The java.security file is in the directory jre_root/lib/security.

Note: Other supported platforms with different versions of Java could possibly exhibit this problem. Apply the same solution.

Advanced Password Services (APS) Issues

The following APS issues exist:

APS Uses Unsafe Functions on Windows Server 2008

Symptom:

On Windows Server 2008, Advanced Password Services uses functions deemed unsafe by Microsoft Security Development Lifecycle (SDL).

Solution:

This is no longer an issue. The unsafe functions have been replaced.

APS Client Components Must Be Configured as 4.x Agents Which Do Not Support IPv6 Addressing (167337)

Symptom:

When configuring APS, you create 4.x Agent objects to represent for the Help Desk (APSAdmin), Forgotten Password (FPS), and Change Password interface client components. However, agents that are configured to act as 4.x Agents do not support IPv6 addresses.

Solution:

In a pure IPv6 environment, install and configure the APS client components on the same system as the Policy Server and use a loopback IP address (for example, 127.0.0.1) in the agent configuration.

Otherwise, use an IPv4 and IPv6 mixed environment.

More information:

IPv6 Addresses Not Supported by Web Agents Configured as 4.x Agent Types (65071)