Previous Topic: How to Configure an Active Directory LDS User Directory ConnectionNext Topic: How to Configure an Active Directory Global Catalog User Directory Connection

Policy Server GuidesPolicy Server Configuration GuideUser DirectoriesHow to Configure an Active Directory User Store Connection

How to Configure an Active Directory User Store Connection

The following graphic shows the required steps to configure an Active Directory user store connection:

Graphic showing the steps to configre an Active Directory User Store Connection

To configure an AD user store connection, complete the following procedures:

  1. Review AD Namespace and LDAP namespace information.
  2. Gather user store information.
  3. Disable Password Services redirect for natively disabled unauthorized users.
  4. Enable enhanced Active Directory integration.
  5. Create the user store connection.
  6. Disable the EnableADEnhancedReferals registry key.
  7. Enable the SASL bind registry key.
  8. Test the user store connection.
Prerequisites

Verify that the following are in place before you configure an AD user store connection:

Review AD Namespace and LDAP Namespace Information

You can configure the user store connection as either an AD or LDAP namespace. The type of namespace that you select affects supported features and other areas of CA SiteMinder® functionality.

The following table describes the advantages and disadvantages of the AD and LDAP namespaces:

Namespace Type

Advantages

Disadvantages

AD
  • SSL connectivity using a native Windows certificate database.

Note: Both the Policy Server and the systems hosting Active Directory user stores must have an established trust.

  • Support for native Windows SASL which allows for secure LDAP bind operations.
  • No support for enhanced LDAP referrals.
  • No support for LDAP paging and sorting operations.

Note: Regardless of the code page that you are using, CA SiteMinder® treats characters as they are defined in Unicode. Although your code page can reference a special character as single-byte, CA SiteMinder® treats it as a multibyte character if Unicode defines it as such.

LDAP
  • Support for enhanced LDAP referrals.
  • Support for LDAP paging and sorting.
  • No support for native Windows SASL.
  • The object class attribute is not indexed.

For CA SiteMinder® to run efficiently with an Active Directory user directory, index the object class attribute in Active Directory.

Note: For more information, see your vendor-specific documentation.

  • Using a Windows User Security Context.

An agent can run in a Windows user security context for accessing web resources on IIS web servers. Before SiteMinder can provide the Windows user security context, configure a session store and enable persistent sessions on a per realm basis. To enable this feature, select the following option under Directory Setup while creating a user directory using the Administrative UI:

Use authenticated user's security context

Gather User Store Information

Gather the required information for the LDAP settings and the user attributes, before creating the user store connection.

Contact the directory server administrator to gather this information.

Server

Specifies the IP address and port of the Active Directory host system.

LDAP search root

Specifies the location in the LDAP tree that the Policy Server uses as the starting point for the directory connection. The Policy Server begins searching at the root when locating a user.

Example: dc=domainname,dc=com

User DN Lookup

Specifies the text string of an LDAP search expression or user DN for locating users in an LDAP user store. A complete lookup requires a Start and End string. The combination of the Start string, username, and End string is used to search the LDAP user store.

Example (Start): (sAMAccountName=

Example (End): )

Universal ID

Specifies the name of the attribute SiteMinder uses as the Universal ID.

Example: sAMAccountName

Disabled Flag

Specifies the name of the user directory attribute that holds the disabled state of the user.

Example: carLicense (or any integer attribute)

Password

Specifies the name of the user directory attribute that CA SiteMinder® uses to authenticate the password of a user.

Example: unicodePwd

Password Data

Specifies the name of the user directory attribute that SiteMinder can use for Password Services data.

Example: audio

The value for Password Data can be any large binary attribute. A value is needed only if you are using Basic Password Services.

Disable Password Services Redirect for Natively Disabled Unauthorized Users

By default, SiteMinder reprompts users for credentials if those users are natively disabled in the directory server. SiteMinder redirects these users to Password Services, even if Password Services is not enabled for the authentication scheme protecting the resource.

To prevent this behavior, the following registry key is required:

IgnoreDefaultRedirectOnADnativeDisabled

Contact the policy server administrator and request that the key be created and enabled.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Open the Registry Editor and navigate to the following location: 
    HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider
  3. Create the IgnoreDefaultRedirectOnADnativeDisabled registry key with a registry type of REG_DWORD.

    Value: 0 (disabled) or 1 (enabled)

    Default: 0

  4. Set the value as 1.
  5. Exit the Registry Editor.
  6. Restart the Policy Server.

Important! If a password policy that specifies a redirect to Password Services is in effect, CA SiteMinder® redirects the natively disabled users to Password Services regardless of this registry key setting.

Enable Enhanced Active Directory Integration

Active Directory 2008 has several user and domain attributes that are specific to the Windows network operating system (NOS). The LDAP standard does not require these user and domain attributes. If Password Services is enabled, enable Enhanced Active Directory Integration using the Administrative UI. This option improves the integration between the user management feature of the Policy Server and Password Services with AD by synchronizing AD user attributes with CA SiteMinder® mapped user attributes.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Administration, Policy Server, Global Tools.
  3. Select Enhance Active Directory Integration
  4. Click Submit.

    Enhanced Active Directory integration is enabled.

Create the User Store Connection

Configuring the user store connection lets the Policy Server communicate with Active Directory. If the environment uses Password Services, an SSL connection and a password attribute (Ex: uincodePWD) are required.

Note: For more information about configuring Active Directory to communicate over SSL, see your vendor-specific documentation.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Infrastructure, Directory, User Directories.
  3. Click Create User Directory.
  4. Microsoft Active Directory is an LDAP-compliant user directory. You can configure the connection using the AD namespace or the LDAP namespace. Do one of the following:
  5. Complete the remaining required connection information in the General and Directory Setup areas.

    Note: If the Policy Server and an Active Directory namespace communicate over SSL, specify the IP address and port in Server under Directory Setup. When the IP address is not specified, an error is logged that states the user directory cannot be contacted. A Windows Event is also logged that reports the certificate does not match the server name.

    Note: The certificates that the Policy Server and the directory store use must be FIPS-compliant under the following conditions:

  6. (Optional) Click Configure under Directory Setup to configure load balancing and failover.
  7. Under Administrator Credentials, do the following:
    1. Select Require Credentials.
    2. Enter the credentials of an administrator account.

    Note: When configuring a user directory in the Active Directory (AD) namespace, specify the fully qualified domain name (FQDN) of the administrator in the Username field. Otherwise, user authentication can fail.

  8. Configure the LDAP Search and LDAP User DN Lookup settings in the LDAP Settings area.
  9. Specify the user directory profile attributes that are reserved for CA SiteMinder® use in the User Attributes area.
  10. (Optional) Click Create in the Attribute Mapping List area to configure the user attribute mapping.
  11. Click Submit.

    The user directory connection is created.

Disable the EnableADEnhancedReferals Registry Key

If the user store connection is configured with the LDAP namespace, disable the EnableADEnhancedReferals registry key. Disabling this registry key prevents LDAP connection errors from occurring.

Contact the policy server administrator and request that the key be disabled.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Open the Registry Editor and navigate to the following location: 
    HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider
  3. Set the value as 0 for the EnableADEnhancedReferrals key.

    Value: 0 (disabled) or 1 (enabled)

    Default: 1

  4. Exit the Registry Editor.
Enable the SASL Bind Registry Key

A Windows-based Policy Server can authenticate a user in an Active Directory using SASL. To enable the use of a SASL bind, create and enable the EnableSASLBind registry key.

Note: When enabling this setting, set the administrator name on the user directory configuration to the AD login name, rather than the fully qualified distinguished name.

Important! If you are configuring an SSL connection between the Policy Server and the user store, do not enable the registry key.

Contact the policy server administrator and request that the key be created and enabled.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Open the Registry Editor and navigate to the following location: 
    HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider
  3. Create the EnableSASLBind registry key with a registry type of REG_DWORD.
  4. Set the value as 1.
  5. Exit the Registry Editor.
  6. Restart the Policy Server.
Test the User Store Connection

Test the connection by querying for a user.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Infrastructure, Directory, User Directories.
  3. Click the name of the user store you created.
  4. Click View Contents under Directory Setup.
  5. Verify that the Search type is selected as Attribute-value.
  6. Type the Universal ID in Attribute.

    Example: sAMAccountName

  7. Type * in Value.
  8. Click Go.

    The account details appear. You have successfully connected to the user store.