Release Notes › Policy Server Release Notes › Installation and Upgrade Considerations › Unsupported Features

Unsupported Features

he following features are not supported by SiteMinder:

• An external administrator user store with an Administrative UI configured with WebSphere
• SafeWord authentication scheme on Red Hat AS
• SiteMinder Test Tool on Red Hat AS
• Password services with Microsoft Active Directory Global Catalog
• Password services with the Microsoft Active Directory 2008 fine grained password policy feature
• Enhanced LDAP referrals with Microsoft Active Directory Application Mode (ADAM)
• Enhanced LDAP referrals with Novell eDirectory
• Enhanced LDAP referrals with Siemens DirX is only supported for searches and writes. That is, password services write referrals is supported. However, enhanced referrals for binds and thus authentication is not supported.

System Management Limitations

The following system management limitations exist:

Pop-up Blockers May Interfere with Help

Certain pop-up blockers or Web browsers may prevent the Administrative UI help window from opening. Many pop-up blockers allow the pop-up if you press CTRL while you click the link. You can also set your Web browser to allow pop-ups from the Administrative UI.

Registry Setting No Longer Required for Setting the Maximum Number of Connections (27442)

In previous versions of the Policy Server, two ODBC connections were created for each Policy Server service. The following registry setting overrode the default value and indicated the maximum total number of ODBC connections created by the Policy Server for all services:

Netegrity\SiteMinder\CurrentVersion\Database\UserDirectoryConnections

For r12.0 SP3 Policy Servers, the maximum number of connections is determined dynamically, based on five times the maximum number of threads specified in the Policy Server Management Console. (See the Performance group box of the Settings tab in the Management Console.)

If you are upgrading to the r12.0 SP3 Policy Server from a 5.x Policy Server, remove the UserDirectoryConnections registry setting. If you do not, and the value specified by the setting is less than the maximum number of threads calculated by the Policy Server, your Policy Server logs will contain many error messages. These messages will indicate that the value of the registry setting overrides the maximum number of connections calculated by the Policy Server.

Policy Server Limitations

The following Policy Server limitations exist:

Error Changing Long Password When Password Services is Enabled (26942)

If the Policy Server has Password Services enabled, changing the password may fail if the old password length exceeds 160 UTF8 octets and the new password length exceed 160 UTF8 octets.

Leading Spaces in User Password May Not Be Accepted (27619)

A user whose password includes leading spaces may not be able to authenticate under the following combination of circumstances:

• The Policy Server is running on Solaris.
• The password with leading spaces is stored in an LDAP User Store.

Note: A password policy may or may not be enabled.

Certificate Mappings Issue with certain Policy Stores (27027, 30824, 29487)

Certificate mappings do not work when the IssuerDN field is longer than 57 characters for policy stores that are installed on the following directories:

• Novell eDirectory
• Active Directory

Handshake Errors with Shared Secret Rollover Enabled (27406)

In the Policy Server error log, you may see an occasional handshake error related to the shared secret, followed by a successful connection. This may occur if the shared secret rollover feature was enabled for the Web Agent communicating with the Policy Server. This behavior is expected as part of a normal shared secret rollover. You can ignore these errors.

Policy Servers Sharing Policy Store Not Updated Consistently

Symptom:

If multiple Policy Servers share a single policy store, the data inside the policy store could possibly be out of synchronization. Synchronization issues can occur under the following conditions:

• The system times on the Policy Servers differ.
• Network latency.

For example, suppose the system time on Policy Server A is 10:00, and the system time on Policy Server B is 10:05. Policy Server A sends its data to the policy store at 10:00. Policy Server B does not record any changes in the data timestamped before 10:05 because those events appear to have occurred earlier.

Solution:

To accommodate different system times or network latency issues:

1. Create the following DWORD registry setting:

   SiteMinder\CurrentVersion\ObjectStore 
   Key: ServerCommandTimeDelay
   

2. Set the value of the key to the number of seconds that corresponds to the time difference. For example, for a five-minute time difference, set the value of the key to 300.

Internal Server Error When Using SecureID Forms Authentication Scheme (39664)

When using the SecureID forms authentication scheme, if users do not enter their passwords correctly during their initial login, they are not granted access to resources despite providing correct credentials in subsequent tries. The Policy Server presents users with an internal server error and these users must restart the Web browser to continue.

X.509 Client Certificate or Form Authentication Scheme Issue (39669)

The Policy Server's X.509 Client Certificate or Form authentication scheme is not working properly when using an alternate FCC location.

Certain User Name Characters Cause Authenticating or Authorizing Problems (39832)

When the Policy Server is using an LDAP user store, users with characters such as &, * , \, and \\ in their user names are not getting authenticated and authorized properly. For example, the Policy Server does not authenticate or authorize these sample users:

• use&r1
• use*r2
• use\r3
• use\\r4

DEBUG Logging With SafeWord Authentication Causes Policy Server to Fail (42222, 43051)

On Solaris, when resources are protected by SafeWord authentication schemes, if you enable DEBUG or ALL logging in the SmSWEC.cfg SafeWord configuration file, the Policy Server fails. As a result, do not enable DEBUG or ALL logging for SafeWord authentication schemes. The SafeWord server is PremierAccess server, using protocol 200 or 201.

Active Directory Integration Enhancement For LDAP Namespace (43264, 42601)

This limitation is related to this new AD feature from 6.0 SP 2:

"Enhanced User Account Management and Password Services Integration with Active Directory (SM5504) (28460) (23347) (24047) (25816)"

When following the instructions in section "Enabling Active Directory Integration Enhancement", be aware that this feature is only supported for the LDAP and not the AD namespace.

Policy Server Does Not Support Roll Over of Radius Log (44398) (43729) (42348)

The Policy Server does not have the capability to roll over the radius log. Prior to the 6.0 release, you could roll over the radius log by running the smservauth -startlog command.

smnssetup Tool Deprecated (44964) (45908) (46489)

The smnssetup tool was removed from distribution in 6.0 SP 4. You should use the Policy Server Configuration Wizard (ca-ps-config) to configure:

• OneView Monitor GUI
• SNMP support
• Policy stores

The wizard gives you the option of using either a GUI or a console window. For more information, see the Policy Server Installation Guide.