This section contains the following topics:
How to Enable Enhanced Active Directory Integration
The Policy Server Global Tools task lets you enable and disable user tracking. If you enable user tracking, SiteMinder Web Agents save Global Unique Identifiers (GUIDs) in cookies. When users access a resource protected by an Anonymous authentication scheme for the first time, the Web Agent creates a cookie that includes the user’s GUID. Each GUID is a unique value, therefore, it may be used to track an anonymous user and customize Web content.
Affiliate Agents require user tracking. If you are using SiteMinder for a network that includes Affiliate Agents, you must enable user tracking as described in the following procedure.
To enable user tracking
The Global Tools pane opens.
The Policy Server enables user tracking.
You can enable and disable nested security, which provides backwards compatibility for older versions of CA SiteMinder®.
To enable the nested security option
The Global Tools pane opens.
The Policy Server enables nested security.
The process of enabling enhanced active directory integration involves the following three steps:
If the version of Active Directory in use does not include the pwdLastSet attribute, then create the Policy Server registry key IgnoreADpwdLastSet.
Important! Create the IgnoreADpwdLastSet registry key and set a value of 1, only for those installations that do not have the pwdLastSet attribute defined.
Follow these steps:
SiteMinder\CurrentVersion\Ds\LDAPProvider
Specifies the Policy Server installation path.
Value: 1
Active Directory 2008 has several user and domain attributes that are specific to the Windows network operating system (NOS) and are not required by the LDAP standard. These attributes are:
If you configure the Policy Server to use Active Directory as a user store, enable Enhanced Active Directory Integration from the Policy Server Global Tools task available from the Administrative UI. This option improves the integration between the Policy Server’s user management feature and Password Services with Active Directory by synchronizing Active Directory user attributes with SiteMinder mapped user attributes.
Follow these steps:
The Global Tools pane opens.
Note: After enabling this feature, you must have administrator credentials to modify the AD user store and have privileges to update AD attributes. If you do not have these credentials and privileges, the Policy Server returns an error message.
The Policy Server enables enhanced Active Directory integration.
dc=WindowsDomain,dc=com
Note: If the Root field is set to another value, AD-specific features may not work.
After you enable enhanced active directory integration, configure a user directory connection.
Follow these steps:
The Create User Directory page appears with the required settings to configure an LDAP connection.
Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.
Specifies the parameters for locating users in an LDAP user store.
Specifies the text string that acts as the beginning of an LDAP search expression or user DN. When a user attempts to login, the Policy Server prepends this string to the beginning of the username.
Value: (sAMAccountName=
Specifies the name of the attribute SiteMinder uses as the Universal ID.
Value: sAMAccountName
Specifies the name of the user directory attribute that holds the disabled state of the user.
Value: carLicense (or any integer attribute)
Specifies the name of the user directory attribute that SiteMinder should use to authenticate a user’s password.
Value: unicodePwd
Specifies the name of the user directory attribute that SiteMinder can use for Password Services data.
Value: audio
The value for Password Data can be any large binary attribute. A value is needed only if you are using Basic Password Services.
Note: For more information about the other fields, see the Administrative UI Help.
The user directory connection is created.
Copyright © 2013 CA.
All rights reserved.
|
|