Configure an Active Directory User Store Connection

Contents
sm1252sp1
Contents
how to configure an Active Directory user store connection
how to configure an Active Directory user store connection
Prerequisites
Verify that the following are in place before you configure an AD user store connection:
  • The Administrative UI is installed and registered with the Policy Server.
  • An administrator account with the required privileges to create a user store connection.
For information about common Active Directory LDAP bind errors that occur, refer MSDN on Microsoft website.
Select an AD or LDAP Namespace for the Connection
You can configure the user store connection as an AD or LDAP namespace. The type of namespace that you select affects supported features and other areas of
CA Single Sign-On
 functionality.
The following table describes the advantages and disadvantages of the AD and LDAP namespaces:
Namespace Type
Advantages
Disadvantages
AD
  • SSL connectivity using a native Windows certificate database.
  • The Policy Server and the systems hosting Active Directory user stores must have an established trust. 
  • Support for native Windows SASL which allows for secure LDAP bind operations.
  • No support for enhanced LDAP referrals.
  • No support for LDAP paging and sorting operations.
  • No support of a multibyte character set.
    To use a multibyte character set, configure the directory connection using an LDAP namespace. Note that regardless of the code page that you are using, the Policy Server treats characters as they are defined in Unicode, regardless of whether your code page references a character as single-byte.
LDAP
  • Support for enhanced LDAP referrals.
  • Support for LDAP paging and sorting.
  • No support for native Windows SASL.
  • The object class attribute is not indexed.
    To run efficiently with an Active Directory user directory, index the object class attribute in Active Directory. For more information on indexing, see your vendor-specific documentation.
  • Uses a Windows User Security Context. An agent can run in a Windows user security context so users can access web resources on IIS web servers. For the Policy Server to provide the Windows user security context:
    1. Configure a session store and enable persistent sessions on a per realm basis.
    2. In the Administrative UI, enable the context by selecting the
      Use authenticated user's security
      context
      option under the Directory Setup.
Gather User Store Information
Gather the required information for the LDAP settings and the user attributes, before creating the user store connection.
Contact the directory server administrator to gather this information.
  • Server
    Specifies the IP address and port of the Active Directory host system.
  • LDAP search root
    Specifies the location in the LDAP tree that the Policy Server uses as the starting point for the directory connection. The Policy Server begins searching at the root when locating a user.
    Example:
    dc=domainname,dc=com
  • User DN Lookup
    Specifies the text string of an LDAP search expression or user DN for locating users in an LDAP user store. A complete lookup requires a Start and End string. The combination of the Start string, username, and End string is used to search the LDAP user store.
    Example (Start):
    (sAMAccountName=
    Example (End):
    )
  • Universal ID
    Specifies the name of the attribute the Policy Server uses as the Universal ID.
    Example:
    sAMAccountName
  • Disabled Flag
    Specifies the name of the user directory attribute that holds the disabled state of the user.
    Example:
    carLicense (or any integer attribute)
  • Password
    Specifies the name of the user directory attribute that the Policy Server  uses to authenticate the password of a user.
    Example:
    unicodePwd
  • Password Data
    Specifies the name of the user directory attribute that the Policy Server uses for Password Services data.
    Example:
    audio
    The value for Password Data can be any large binary attribute. A value is needed only if you are using Basic Password Services.
Disable Password Services Redirect for Natively Disabled Unauthorized Users
By default,
CA Single Sign-On
reprompts users for credentials if those users are natively disabled in the directory server. The Policy Server redirects these users to Password Services, even if Password Services is not enabled for the authentication scheme protecting the resource.
To prevent this behavior, the following registry key is required:
IgnoreDefaultRedirectOnADnativeDisabled
Contact the policy server administrator and request that the key be created and enabled.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Open the Registry Editor and navigate to the following location:
    HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider
  3. Create the IgnoreDefaultRedirectOnADnativeDisabled registry key with a registry type of REG_DWORD.
    Value:
    0 (disabled) or 1 (enabled)
    Default:
    0
  4. Set the value as 1.
  5. Exit the Registry Editor.
  6. Restart the Policy Server.
If a password policy that specifies a redirect to Password Services is in effect,
CA Single Sign-On
redirects the natively disabled users to Password Services regardless of this registry key setting.
Enable Enhanced Active Directory Integration
Active Directory 2008 has several user and domain attributes that are specific to the Windows network operating system (NOS). The LDAP standard does not require these user and domain attributes. If Basic Password Services is enabled, enable Enhanced Active Directory Integration using Administrative UI. This option improves the integration between the user management feature of Policy Server and Password Services with AD by synchronizing AD user attributes with
CA Single Sign-On
mapped user attributes.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Click Administration, Policy Server, Global Tools.
  3. Select Enhance Active Directory Integration
  4. Click Submit.
    Enhanced Active Directory integration is enabled.
Create the User Store Connection
Configuring the user store connection lets the Policy Server communicate with Active Directory. If the environment uses Password Services, an SSL connection and a password attribute (Ex: uincodePWD) are required.
For more information about configuring Active Directory to communicate over SSL, see your vendor-specific documentation.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Click Infrastructure, Directory, User Directories.
  3. Click Create User Directory.
  4. Microsoft Active Directory is an LDAP-compliant user directory. You can configure the connection using the AD namespace or the LDAP namespace. Do
    one
    of the following:
    • Leave the default LDAP settings.
    • Select AD from the Namespace list.
  5. Complete the remaining required connection information in the General and Directory Setup sections.
    : If the Policy Server and an Active Directory namespace communicate over an SSL connection, specify the fully-qualified domain name (FQDN) and port in the
    Server
    field in the Directory Setup section. If you do not include the FQDN, the Policy Server logs an error stating that the user directory cannot be contacted. A Windows event is also logged that reports the certificate does not match the server name.
    The certificates that the Policy Server and the directory store use must be FIPS-compliant under the following conditions:
    • If the Policy Server is operating in FIPS mode.
    • The directory connection uses a secure SSL connection when communicating with the Policy Server.
  6. (Optional) Click Configure under Directory Setup to configure load balancing and failover.
  7. Under Administrator Credentials, do the following:
    1. Select Require Credentials.
    2. Enter the credentials of an administrator account. Specify the fully qualified domain name (FQDN) of the administrator in the Username field. Otherwise, user authentication can fail.
  8. Configure the LDAP Search and LDAP User DN Lookup settings in the LDAP Settings area.
  9. Specify the user directory profile attributes that are reserved for
    CA Single Sign-On
    use in the User Attributes area.
  10. (Optional) Click Create in the Attribute Mapping List area to configure the user attribute mapping.
  11. Click Submit. The user directory connection is created. 
The new user directory connection is not available to the Policy Server until the Policy Server applies administrative changes (every 60 seconds by default). This same condition applies when a user directory connection is modified.
Disable the EnableADEnhancedReferrals Registry Key
If the user store connection is configured with the LDAP namespace, disable the EnableADEnhancedReferrals registry key. Disabling this registry key prevents LDAP connection errors from occurring.
Contact the policy server administrator and request that the key be disabled.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Open the Registry Editor and navigate to the following location:
    HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider
  3. Set the value as 0 for the EnableADEnhancedReferrals key.
    Value:
    0 (disabled) or 1 (enabled)
    Default:
    1
  4. Exit the Registry Editor.
Enable the SASL Bind Registry Key
A Windows-based Policy Server can authenticate a user in an Active Directory using SASL. To enable the use of a SASL bind, create and enable the
EnableSASLBind
registry key. When enabling this setting, set the administrator name on the user directory configuration to the AD login name, rather than the fully qualified distinguished name.
If you are configuring an SSL connection between the Policy Server and the user store, do not enable the registry key.
Contact the policy server administrator and request that the key be created and enabled.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Open the Registry Editor and navigate to the following location:
    HKEY_LOCAL_MACHINE\Software\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider
  3. Create the
    EnableSASLBind
    registry key with a registry type of REG_DWORD.
  4. Set the value as 1.
  5. Exit the Registry Editor.
  6. Restart the Policy Server.
Test the User Store Connection
Test the connection by querying for a user.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Click Infrastructure, Directory, User Directories.
  3. Click the name of the user store you created.
  4. Click View Contents under Directory Setup.
  5. Verify that the Search type is selected as Attribute-value.
  6. Type the Universal ID in Attribute.
    Example:
    sAMAccountName
  7. Type * in the Value field.
  8. Click Go.
    The account details appear. You have successfully connected to the user store.