Multifactor Authentication is in use.
email.fcc is customized to accept Username, Password and Email Address.
When the user has "User must change password at next login" flag set, despite submitting the correct old password and acceptable new password at the OOTB smpwservices.fcc, the password change does not succeed.
smaccess.log shows OnAuthAttempt.
Release : 12.8.x
Component : SITEMINDER -POLICY SERVER
This is by design.
When customized HTML Login page is used for accepting multiple attributes, same attributes need to be submitted in the smpwservices.fcc
HTML Authentication Scheme
smpwservices.fcc need to be matched with the email.fcc so it will also accept the "mail" attribute.
It can be tricky to locate where to add this input field in the smpwservices.fcc as there are many locations that repeat the same message.
When the user is redirected due to smauthreason=20 then the message displayed will be "please change your current password before continuing" and there are several locations this message is displayed.
To locate the correct location, change the message as "please change your current password before continuing1" and "please change your current password before continuing2" and so on.
Then reproduce the issue and see which message is displayed. If the message is "please change your current password before continuing4" then you will need to add the email input section below that as demonstrated in the above screenshot.
Password policy need to be updated to redirect to this new smpwservices-email.fcc
And the user password change succeeds.