Change Password is not working with siteminder password policy
search cancel

Change Password is not working with siteminder password policy


Article ID: 214162


Updated On:


CA Single Sign On Agents (SiteMinder)


Customer has enabled Siteminder Password Policy for an application.

However, users are not able to reset the password despite meeting the password complexity criteria.

It shows the password does not meet the criteria with below error in smaccess.log:

[Auth][AuthReject][21][agentname][28/Apr/2021:10:21:37 -0400][domain][9qbu2WuO0E8zrFO/UJva3xFxUyU=][CN=XXXXXXX,DC=Corp,DC=Local][03-000158d7-d0ee-1487-a3a9-2d250aa2907c][pwdservicesTraget][06-0008c39b-d0f4-1487-a3a9-2d250aa2907c][client_ip_address][/login/pwchange.html][GET][UserDir][LDAP_IP_address:389][LDAP:][][Password change failed. gPP8U5t5MOMugf5vIOOk1wAAAAEAAAPoAAAAIAAAAAA=][Realm][][][][][]


Release : 12.8.03



Turn on policy server trace log, it will review the true cause of failure.

[04/28/2021][14:32:01.954][12313][140561997936384][plugin_AD.cpp:460][][LogMessage:ERROR:[sm-Ldap-00880] (SetUserProp) DN: 'CN=XXXXXXX,DC=Corp,DC=Local', PropName: 'unicodePwd', PropValue: '****' . Status: Error 53 . DSA is unwilling to perform][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][14:32:01][][][][][][][][][]
[04/28/2021][14:32:01.957][12313][140561997936384][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][** Status: Not Authenticated. Password change failed][][uid][][domain][login][][][UserDir][agentname][][s460682/r5][][][][][][][][][][Password change failed. gPP8U5t5MOMugf5vIOOk1wAAAAEAAAPoAAAAIAAAAAA=][][AuthScheme][][][][][][][CN=XXXXXXX,DC=Corp,DC=Local][][][06-000cefb3-d0f5-1487-a3a9-2d250aa2907c][][][][][][][][][][][][][][][][][14:32:01][][][][][][][][][]
User can not change password, because AD PropName: 'unicodePwd' is NOT allowed to be changed.

The particular LDAP connection was not secure.


In order for Siteminder password policy to be fully working, the LDAP user directory connection needs to be over ssl on a secure port. 

AD only accepts password change via ssl connection, provided the AD connection account has the privilege to conduct such operation.

Do not attempt to generate one time password several tries in the same minute from AD, that could cause additional failure and confusion on what the correct password is for login now, since AD replication process can take time to propagate the password value over the rest of AD farm.

In addition, by design, user name in Siteminder can not have value like &, * or format as (username), which will result in error "Illegal characters in username ".

Additional Information

Users stored in Active Directory user directories cannot change their passwords.
Check the following:
  • The Active Directory user directory to which the policy is bound is configured with a secure (SSL) connection.
  • The Active Directory user directory to which the policy is bound is configured to use the unicodePWD Password Attribute.


Tech Article: SSO Policy Server Illegal characters in username.