Issue with WS-Security Username and Password Digest authentication

Document ID:  TEC1172838
Last Modified Date:  07/05/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER SECURE PROXY SERVER:SMSPS
Problem:

When we try to use  the 12.52 SP1 CR5 Web Services Security (WSS) Agent installed on WebSphere 8.5, username and password digest authentication is not working.

If we switch to plain text username and password authentication, the transaction is successful. 

Why the digest authentication doesn't work ?

Environment:
ProductName=CA SiteMinder Web Services Security FullVersion=12.52.105.2112
Cause:

There is a limitiation with Active Directory User Store. For WS-Security Password Digest Authentication Scheme,  the Authentication Scheme tries to retrieve attribute userPassword and compares the digest value that user sends a part of input request.

 

For Active Directory, UserPassword or unicodePwd attributes cannot be retrieved for security reasons.  

 

WS-Security Username Password Authentication Scheme in Siteminder currently can support only cleartext form. We cannot support the Digest form because of these security reasons.

 

Below is link from Microsoft community :

"The users' password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can   be written under restricted conditions, but it cannot be read due to security reasons."

https://social.technet.microsoft.com/Forums/ie/en-US/63e3cf2d-f186-418e-bc85-58bdc1861aae/view-password-hash-in-active-directory?forum=winserverfiles

Workaround:

Workaround for this issue is to use the plain text username and password Authentication Scheme (cleartext).

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >