search cancel

Change Password is not working with siteminder password policy

book

Article ID: 214162

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Customer has enabled Siteminder Password Policy for an application.

However, users are not able to reset the password despite meeting the password complexity criteria.

It shows the password does not meet the criteria with below error in smaccess.log:

[Auth][AuthReject][21][agentname][28/Apr/2021:10:21:37 -0400][domain][9qbu2WuO0E8zrFO/UJva3xFxUyU=][CN=XXXXXXX,DC=Corp,DC=Local][03-000158d7-d0ee-1487-a3a9-2d250aa2907c][pwdservicesTraget][06-0008c39b-d0f4-1487-a3a9-2d250aa2907c][client_ip_address][/login/pwchange.html][GET][UserDir][LDAP_IP_address:389][LDAP:][][Password change failed. gPP8U5t5MOMugf5vIOOk1wAAAAEAAAPoAAAAIAAAAAA=][Realm][][][][][]

Cause

Turn on policy server trace log, it will review the true cause of failure.

[04/28/2021][14:32:01.954][12313][140561997936384][plugin_AD.cpp:460][][LogMessage:ERROR:[sm-Ldap-00880] (SetUserProp) DN: 'CN=XXXXXXX,DC=Corp,DC=Local', PropName: 'unicodePwd', PropValue: '****' . Status: Error 53 . DSA is unwilling to perform][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][14:32:01][][][][][][][][][]
...
 
[04/28/2021][14:32:01.957][12313][140561997936384][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][** Status: Not Authenticated. Password change failed][][uid][][domain][login][][][UserDir][agentname][][s460682/r5][][][][][][][][][][Password change failed. gPP8U5t5MOMugf5vIOOk1wAAAAEAAAPoAAAAIAAAAAA=][][AuthScheme][][][][][][][CN=XXXXXXX,DC=Corp,DC=Local][][][06-000cefb3-d0f5-1487-a3a9-2d250aa2907c][][][][][][][][][][][][][][][][][14:32:01][][][][][][][][][]
 
User can not change password, because AD PropName: 'unicodePwd' is NOT allowed to be changed.

The particular LDAP connection was not secure.

Environment

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

Resolution

In order for Siteminder password policy to be fully working, the LDAP user directory connection needs to be over ssl on a secure port. 

AD only accepts password change via ssl connection, provided the AD connection account has the privilege to conduct such operation.

Do not attempt to generate one time password several tries in the same minute from AD, that could cause additional failure and confusion on what the correct password is for login now, since AD replication process can take time to propagate the password value over the rest of AD farm.

In addition, by design, user name in Siteminder can not have value like &, * or format as (username), which will result in error "Illegal characters in username ".

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/password-policy-troubleshooting.html

Symptom:
Users stored in Active Directory user directories cannot change their passwords.
Solution:
Check the following:
  • The Active Directory user directory to which the policy is bound is configured with a secure (SSL) connection.
  • The Active Directory user directory to which the policy is bound is configured to use the unicodePWD Password Attribute.

 

Tech Article: SSO Policy Server Illegal characters in username. 

https://knowledge.broadcom.com/external/article?articleId=188755