We are trying to update a password composition policy that has a list of Characters to Exclude defined. We updated the list of special characters accordingly for "Must Contain" and "First Must Contain". We are not using the "Last Must Contain" feature and just blanked out the list of special characters there. But when we try to save this policy, the PAM pops up error "PAM-CM-4126: Excluded special characters were specified at the end of the password."

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

When a list of special characters is blank, PAM uses the default list, which includes characters like the pipe character and slash and backslash. This default list conflicts with the "Characters To Exclude" list.

Even if you are not using a particular special characters list in the PCP, make sure to enter a list there. Just a single character will do. E.g. just adding an exclamation mark "!" in the Special Last Characters Including field at the bottom right will allow you to save the above PCP. Since the checkboxes are not checked it will NOT imply that PAM will only use an exclamation mark as last special character. You can verify that by clicking on the Test button multiple times and checking the resulting password on top.