Policy Servers that have not been enabled for IdentityMinder cannot be connected to policy stores that contain IdentityMinder objects. Policy Servers that have been enabled for IdentityMinder 5.6 SP2 can be connected to 12.52 SP1 policy stores that contain IdentityMinder objects.
Note: For more information about configuring and deploying IdentityMinder, see the IdentityMinder Web Edition Installation Guide.
This release does not include an NTLM authentication scheme template. This authentication scheme type has been replaced by the Windows Authentication template. Support for NTLM authentication is now provided through the new authentication scheme template.
Symptom:
Performance is impacted when using a SQL query scheme to find user data in a non-Unicode database. The performance degradation is because default Policy Server behavior is to append an "N" to the SQL query to enable Unicode searching.
Solution:
This is no longer an issue. To prevent performance degradation when using an SQL query scheme to find user data in a non-Unicode database, use the following procedure to disable Unicode searching:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\DisableMSSQLUnicodeSearch
Unicode searching is disabled.
STAR Issue: 20517732-01
CA SiteMinder® does not support the following features:
The following system management limitations exist:
Certain pop-up blockers or Web browsers may prevent the Administrative UI help window from opening. Many pop-up blockers allow the pop-up if you press CTRL while you click the link. You can also set your Web browser to allow pop-ups from the Administrative UI.
In previous versions of the Policy Server, two ODBC connections were created for each Policy Server service. The following registry setting overrode the default value and indicated the maximum total number of ODBC connections created by the Policy Server for all services:
Netegrity\SiteMinder\CurrentVersion\Database\UserDirectoryConnections
For 12.52 SP1 Policy Servers, the maximum number of connections is determined dynamically, based on five times the maximum number of threads specified in the Policy Server Management Console. (See the Performance group box of the Settings tab in the Management Console.)
If you are upgrading to the 12.52 SP1 Policy Server from a 5.x Policy Server, remove the UserDirectoryConnections registry setting. If you do not, and the value specified by the setting is less than the maximum number of threads calculated by the Policy Server, your Policy Server logs will contain many error messages. These messages will indicate that the value of the registry setting overrides the maximum number of connections calculated by the Policy Server.
The following Policy Server limitations exist:
A user whose password includes leading spaces may not be able to authenticate under the following combination of circumstances:
Note: A password policy may or may not be enabled.
If the Policy Server has Password Services enabled, changing the password may fail if the old password length exceeds 160 UTF8 octets and the new password length exceed 160 UTF8 octets.
Certificate mappings do not work when the IssuerDN field is longer than 57 characters for policy stores that are installed on the following directories:
In the Policy Server error log, you may see an occasional handshake error related to the shared secret, followed by a successful connection. This may occur if the shared secret rollover feature was enabled for the Web Agent communicating with the Policy Server. This behavior is expected as part of a normal shared secret rollover. You can ignore these errors.
When using the SecureID forms authentication scheme, if users do not enter their passwords correctly during their initial login, they are not granted access to resources despite providing correct credentials in subsequent tries. The Policy Server presents users with an internal server error and these users must restart the Web browser to continue.
The Policy Server's X.509 Client Certificate or Form authentication scheme is not working properly when using an alternate FCC location.
When the Policy Server is using an LDAP user store, users with characters such as &, * , \, and \\ in their user names are not getting authenticated and authorized properly. For example, the Policy Server does not authenticate or authorize these sample users:
On Solaris, when resources are protected by SafeWord authentication schemes, if you enable DEBUG or ALL logging in the SmSWEC.cfg SafeWord configuration file, the Policy Server fails. As a result, do not enable DEBUG or ALL logging for SafeWord authentication schemes. The SafeWord server is PremierAccess server, using protocol 200 or 201.
This limitation is related to this new AD feature from 6.0 SP 2:
"Enhanced User Account Management and Password Services Integration with Active Directory (SM5504) (28460) (23347) (24047) (25816)"
When following the instructions in section "Enabling Active Directory Integration Enhancement", be aware that this feature is only supported for the LDAP and not the AD namespace.
The Policy Server does not have the capability to roll over the radius log. Prior to the 6.0 release, you could roll over the radius log by running the smservauth -startlog command.
The smnssetup tool was removed from distribution in 6.0 SP 4. You should use the Policy Server Configuration Wizard (ca-ps-config) to configure:
The wizard gives you the option of using either a GUI or a console window. For more information, see the Policy Server Installation Guide.
When creating Policy Server objects in the Administrative UI, you have the option of creating a copy of an existing object of the same type. The copy option is not available for the following objects:
The following user directory limitation exists:
Given
A Policy Server is configured on Solaris to use two Oracle-based user stores: one is the primary user store and the other is the secondary user store.
Result
The time for the Policy Server to failover from the primary to the secondary, in the event of a network failure, may be as long as 8 minutes.
Solution
This time can be reduced by setting the TCP/IP setting, tcp_ip_abort_interval, to the desired time.
The following Perl scripting interface limitations exist:
On Solaris, a core dump results if you call use for AgentAPI before you call use for PolicyMgtAPI. If you are calling use for both modules, do so in the following order:
With methods that return an array, undef should be returned if an error occurs or there is nothing to return. However, these methods may incorrectly return a one-element array with the first element set to undef.
The Perl Scripting Interface does not support setting multi-valued Agent configuration parameters.
The following Japanese Policy Server limitation exists:
A Shared Secret for a CA SiteMinder® Agent in a Japanese operating system environment may have no more than 175 characters.
Copyright © 2014 CA.
All rights reserved.
|
|