getUserFromSMTOKEN fails with Exception getting administrator

Document ID:  TEC1759254
Last Modified Date:  08/11/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Identity Manager

Releases

  • CA Identity Manager:Release:14.0
  • CA Identity Manager:Release:12.6.0
  • CA Identity Manager:Release:12.5

Components

  • IdentityMinder(Identity Manager):IDMGR
Problem:

When integrated with SiteMinder policy server, Identity Manager intermittently throws the following errors when performing tasks that change the user password.

[12/11/16 8:58:42:596 EST] 00000122 SystemOut O 08:58:42,596 DEBUG [ims.tasktrack.LLSDK] Sending server reqest with ID: 19 for method [getUserFromSMTOKEN]
[12/11/16 8:58:42:659 EST] 00000122 SystemOut O 08:58:42,659 DEBUG [ims.tasktrack.LLSDK] Receiving server response for request with ID:19
[12/11/16 8:58:42:659 EST] 00000122 SystemOut O 08:58:42,659 DEBUG [ims.ui] Exception getting administrator ($SM${RC2}Yt5wh5ozldpnf/8f8Ze3WpQoKzcWW01JGZaNo8oQkL3lf8Q7QDB7AMmzFpgBFQ+snrYQO/K2WjO91vKbcRoqnyB6sakoGeVX1HIVc4+lG60=)
[facility=4 severity=2 reason=0 status=38 message=No items found] 

Environment:
Any Identity Manager version that is integrated with SiteMinder where there may be multiple policy servers authenticating the user directory in question.
Cause:

SiteMinder user directories can have Identity Manager handle password changes for users. In this configuration, a user may login to a SiteMinder protected resource and then be forced to reset their password due to password expiration or some other policy that forces a password change. In these cases, the users are authenticated and given an SMTOKEN value by the policy server. The user is then redirected to a public page on the Identity Manager server that is associated with this user directory. Identity Manager takes the SMTOKEN value and asks the policy server to validate it and provide the username that needs to have the password reset.

In some cases the policy server that Identity Manager asks to valid the SMTOKEN value is NOT the policy server that issued the token. This can happen if there are multiple policy servers protecting different resources and those policy stores have a shared key store.

This error may occur if the policy store's system times are not in sync, since the SMTOKEN value has a limited lifespan.

Resolution:

To resolve this problem, all of the Policy Server machines in the scenario should have the system synchronized against a common time server at the OS level. Please consult your OS documentation for further information on how to do this.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >