Policy Server Guides › Policy Design Guide › User Directories › Configure User Directory Connections › Configure Active Directory Connections

Configure Active Directory Connections

Before you configure a connection to an Active Directory consider the following:

• For Windows deployments, SiteMinder establishes the Windows user context by passing the user's fully-qualified Windows id and password to IIS. SiteMinder obtains the fully qualified Windows id from the user's DN entry by concatenating the login name of the authenticated user with the first dc value found in the user's LDAP DN. The login name is usually the same value as the SM_USER header. For example, if the user DN iscn=name,cn=user_group,dc=server,dc=domain,dc=extension, and the username is user_name, the resulting Windows id is server\user_name. IIS requires that the user_name be the same as the Windows user id and that <server> be the logon domain name.
• The AD namespace does not support multi-byte character sets. To use a multi-byte character set with Active Directory, configure your directory connection using the LDAP namespace.

  Note: Regardless of the code page you are using, SiteMinder treats characters as they are defined in Unicode. Although your code page may reference a special character as single-byte, SiteMinder treats it as a multi-byte character if Unicode defines it as such.

• When authenticating against an AD namespace, the Policy Server binds to Active Directory using SASL. If a user's common name (CN) is different from the user's Windows logon name, the user can still authenticate even if the EnableSaslBind registry setting exists on the Policy Server machine.

  The EnableSaslBind setting is a DWORD registry key that you can set to 0 or 1:

  HKLM\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider\EnableSaslBind

  This setting disables or enables the SASL protocol while authenticating users. For example, if EnableSaslBind does not exist and you configure this setting to 1, the bind occurs with SASL. If EnableSaslBind exists and you configure this setting to 0, the bind occurs with Simple Authentication mechanism.

• In order for the Policy Server to identify the AD domain of an AD namespace, which is necessary to read account lock status, you must configure the LDAP search root of the user directory as the DN of the domain. If you set the LDAP search root to any other DN, the Policy Server is not able to identify the AD domain and is therefore unable to read the Windows lockout policy associated with the domain. This can lead users that are locked through the AD console to appear enabled when viewed in the Policy Server User Interface User Management dialog.

  For example, if you have created five users through the AD console at DN ou=People,dc=clearcase,dc=com and locked two of those users. The SiteMinder User Management dialog will show locked users disabled only if you configure the LDAP search root as the DN of the AD domain (that is, dc=clearcase,dc=com). If you configure the LDAP search root as ou=People,dc=clearcase,dc=com, the locked users will incorrectly be shown as enabled.

• By default, SiteMinder re-prompts users for credentials when they are unauthorized due to being natively disabled in the directory server. This behavior does not occur for users stored in Active Directory. Rather, SiteMinder redirects natively disabled users to Password Services, even if Password services is not enabled for the authentication scheme protecting the resource. Create and enable IgnoreDefaultRedirectOnADnativeDisabled to prevent this Active Directory behavior.

  IgnoreDefaultRedirectOnADnativeDisabled

  Location: HKEY_LOCAL_MACHINE/SOFTWARE/Netegrity/Siteminder/CurrentVersion/Ds/LDAPProvider

  Values: 0 (disabled) or 1 (enabled)

  Default: 0. If the registry key is disabled, the default behavior is in effect.

  Note: If a password policy is in effect that specifies a redirect to Password Services, SiteMinder redirects the natively disabled users to Password Services regardless of the registry key’s setting.

Note: When you create or modify a Policy Server object in the Policy Server User Interface, use ASCII characters. Object creation or modification with non-ASCII characters is not supported.

To configure a connection to an Active Directory

1. Open the User Directory Dialog (see Navigate to the User Directory Dialog).
2. In the Directory Setup tab, select one of the following from the Namespace drop-down list:
   • AD
   • LDAP

   Microsoft Active Directory is an LDAP-compliant user directory. You can configure your Active Directory connection using the AD namespace or the LDAP namespace.

3. In the Directory Setup tab, enter connection information for your Active Directory as described in User Directory Dialog—AD Namespace Directory Setup Tab.

   Note the following:

   • The value in the Root field of the LDAP Search group box will typically have the following format:

     dc=<server>,dc=<domain>,dc=<extension>

     For example, dc=server,dc=myorg,dc=org

   • For secure connections from the Policy Server to an AD namespace over SSL, you must specify the FQDN and port number in the Server field of the Directory Setup group box.

     If you only specify the IP address, rather than the FQDN, the following error will appear in the logs: error 29, “User Directory Can Not be Contacted”

     A report will also appear in the Windows Event Log stating the certificate does not match the name of the server.

4. To configure the directory connection to include multiple servers for failover and load balancing, click the Configure button in the Directory Setup group box. (See Load Balancing/Failover Configuration for LDAP Directory Connections).
5. Optionally, in the Credentials and Connection tab, specify administrator credentials that the Policy Server will use to connect to the Active Directory, and specify whether the connection to the directory will use SSL as described in User Directory Dialog—AD Namespace Credentials and Connection Tab.

   You can also specify whether or not the Policy Server should provide a Windows user security context. See How a Windows User Security Context Is Obtained for more information.

   The administrator user name typically takes a form similar to the following:
   cn=<administrator>,cn=<administrator’s group>,dc=<server>,dc=<organization>,dc=<com, net, etc.>

6. Optionally, in the User Attributes tab, specify directory attributes that will be reserved for use by SiteMinder features. See Specify Directory Attributes.

More information:

Load Balancing/Failover Configuration for LDAP Directory Connections

Specify Directory Attributes