As part of a new series of posts around hidden SiteMinder operational issues, this week we have a post about authentication requests from valid users being rejected. In each article, we will present the reported issue, what we found during troubleshooting, and how to problem was remedied
| Issue | Customer reported that help desk users were not able to access the help desk user administration application (which was built in Identity Manager). |
| Symptoms | The AuthReject rate for all users in one of the three user stores was extremely high. Valid user authentication attempts were being rejected for that user store. |
| Troubleshooting | Because it was an authentication issue, we examined the smaccess.log first to determine the extent of the failed authentications. The smaccess.log showed successful authentications (AuthAccept) for other user stores and as a result we knew SiteMinder was not the root cause. We reviewed the alarm log for the DSA userstore that had a high failure rate and discovered the following entry: “** ALARM **. File space exhausted”. When creating a userstore in CA Directory you must set a dxgrid-db size. This user store was originally created in 2014 and the size was set to the default of 500MB. Since it was deployed, the userstore entries have grown by more than 2M. |
| Condition | This issue would only occur if SiteMinder was configured to track successful logins. |
| Cause | The dxgrid-db allocation had been exhausted for the user store. The operating system had adquate disk space, but the initial dx-griddb size was too small; as a result, the succesful login tracking could not be written to the passwordData field on the user’s record in the userstore. This caused valid user authentications to be rejected. |
| Procedure | Steps to extend the size of the DXgrid datastore. To extend the size of the DXgrid data store, use the dxextenddb tool. To do so, follow these steps: Stop the DSA. Edit the dxgrid-db-size parameter within the DSA’s initialization file (DXHOME/config/servers/{dsaName.dxi}) Run “dxextenddb {dsaName}”. Start the DSA. Once the DXgrid datastore has been extended and restarted, SiteMinder would be able to continue tracking successful user logins. Steps to enable “Authenticate on login tracking failure” Edit the Password Policy associated with the user directory. Enable “Authenticate on login tracking failure”. Save the policy. |
| Future Considerations | The changes that were implemented will prevent users from being rejected during authentication due to lack of dxgrid-db space in the future, but it could result in succesful authentications not being recorded in the user’s passwordData field. The failure to track successful logins could impact features such as ‘account expiration due to inactivity’. If successful logins are not being tracked, the inactivity account expiration feature would not be accurate and could cause accounts to prematurely expire. We recommend implementing a monitor that reads the alarm log and triggers an alert once the dxgrid-db size exceeds 75% of the space allocated. |
