search cancel

Basic Password policy Change Password timeout value

book

Article ID: 229710

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

When using the basic password policy and when Disable Flag is set to Password must change  Sm_Api_Disabled_PWMustChange = 0x01000000 = 16777216

The following will happen 


1) user access a protected resource and get redirected to login.fcc 
2) user enter correct username and password , as the Disable flag is set to Sm_Api_Disabled_PWMustChange = 0x01000000 = 16777216 ,user is getting redirected to password change page 


At this step , the policy Server builds a Redirect as follows 


Location: /siteminderagent/forms/smpwservices.fcc?SMENC=UTF-8&SMTOKEN=-SM-{RC2}xotv2COPg4kBt85QcxVmnoEX8ckFTuX/MsM+VfQTv+JENwxnUFsRtP731EL2rGQ5XcxQaGlVCUG65GZjmmMwgL1LMVtMwDPU&USERNAME=user1&SMAUTHREASON=20&SMAGENTNAME=-SM-U+dySDYs9M8fAje9ejgoI9fhY8lCchQQSX+Zf4h4uSuOYFzXVrXbM6NDNegE19Ln&TARGET=-SM-HTTPS://fedapp.myidp128sp4.com/affwebservices/redirectjsp/redirect.jsp?SPID=SPID&SMPORTALURL=https-:-/-/fedapp.myidp128sp4.com-/affwebservices-/public-/saml2sso&SAMLTRANSACTIONID=229af28d--4796594b--fd5608da--1aaa447b--30ac67c2--9e6
 
3) if the user waits more then 10 min and then attempts to change the password , a timeout message is being returned 

Environment

Release : Any release

Component : SITEMINDER -POLICY SERVER

Resolution

The Reason for the timeout is the SMTOKEN

SMTOKEN is validated again  in the change password flow with current time against  token creation time + 5 min. If it is more than 5 min , the request to change password is rejected and the below is written in the policy Server trace

 SMTRACE_SETMSG(("Refusing password change request"));

 The 5 min is hardcoded and can not be changed