Previous Topic: How to Configure an Active Directory Directory Connection

Next Topic: LDAP Namespace for an Active Directory Connection

Active Directory Considerations

Before you configure a connection to an Active Directory consider the following:

Windows deployments

SiteMinder establishes the Windows user context by passing the user's fully qualified Windows ID and password to IIS. SiteMinder obtains the fully qualified Windows ID from the user's DN entry by concatenating the first cn and dc values found in the DN. For example, if the user DN is:

cn=<username>,cn=<usergroup>,dc=<server>,dc=<domain>,
dc=<extension>

The resulting Windows ID is <server>\<username>. IIS requires the <username> to be the same as the Windows user ID and the <server> to be the log-on domain name.

Multi-byte Character Support

The AD namespace does not support multi-byte character sets. To use a multi-byte character set with Active Directory, configure your directory connection using the LDAP namespace.

Note: Regardless of the code page you are using, SiteMinder treats characters as they are defined in Unicode. Although your code page can reference a special character as single-byte, SiteMinder treats it as a multi-byte character if Unicode defines it as such.

Authentication against an AD namespace

The Policy Server binds to Active Directory using SASL. If a user's common name (CN) is different from the user's Windows logon name, the user can still authenticate even if the EnableSaslBind registry setting exists on the Policy Server machine.

The EnableSaslBind setting is a DWORD registry key that you can set to 0 or 1:

HKLM\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider\EnableSaslBind

This setting disables or enables the SASL protocol while authenticating users. For example, if EnableSaslBind does not exist and you configure this setting to 1, the bind occurs with SASL. If EnableSaslBind exists and you configure this setting to 0, the bind occurs with Simple Authentication mechanism.

Administrator Credentials

When configuring a user directory in the Active Directory (AD) namespace, specify the fully qualified domain name (FQDN) of the administrator in the Username field on the Administrator Credentials group box. If you do not satisfy this requirement, user authentication can fail.

LDAP Search Root Configuration

In order for the Policy Server to identify the AD domain of an AD namespace, which is necessary to read account lock status, configure the LDAP search root of the user directory as the DN of the domain. If you set the LDAP search root to any other DN, the Policy Server is not able to identify the AD domain and is therefore unable to read the Windows lockout policy associated with the domain. This situation can lead users that are locked through the AD console to appear enabled when viewed in the Administrative UI User Management dialog.

For example, create five users through the AD console at DN ou=People,dc=clearcase,dc=com and lock two of these users. The SiteMinder User Management dialog shows locked users as disabled only if the LDAP search root is configured as the DN of the AD domain (that is, dc=clearcase,dc=com). If you configure the LDAP search root as ou=People,dc=clearcase,dc=com, the locked users are incorrectly shown as enabled.

Disable Password Services Redirect for Natively Disabled Unauthorized Users

By default, SiteMinder reprompts users for credentials when they are unauthorized due to being natively disabled in the directory server. This behavior does not occur for users stored in Active Directory. Rather, SiteMinder redirects natively disabled users to Password Services, even if Password Services is not enabled for the authentication scheme protecting the resource. Create and enable IgnoreDefaultRedirectOnADnativeDisabled to prevent this Active Directory behavior.

IgnoreDefaultRedirectOnADnativeDisabled

Location: HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/Ds/LDAPProvider

Values: 0 (disabled) or 1 (enabled)

Default: 0. If the registry key is disabled, the default behavior is in effect.

Note: If a password policy is in effect that specifies a redirect to Password Services, SiteMinder redirects the natively disabled users to Password Services regardless of the registry key's setting.

Active Directory Namespace Does Not Support Paging

The Active Directory namespace does not support paging, causing searches of more than 1000 users to fail. To support searches of large numbers of users in the Active Directory namespace, enable the following registry key by setting it to one:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\
LDAPProvider\EnablePagingADNameSpace

Values: 0 (disabled) or 1 (enabled)

Default Value: 0

LDAP Namespace for an Active Directory User Directory Connection

When accessing an Active Directory user directory using an LDAP namespace, disable the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\
LDAPProvider\EnableADEnhancedReferrals

Values: 0 (disabled) or 1 (enabled)

Default Value: 1

This step prevents LDAP connection errors from occurring.


Copyright © 2010 CA. All rights reserved. Email CA about this topic