VIP Enterprise Gateway Error: Residual Password failed for user. reason=3; Incorrect LDAP Password
Article ID: 256038
Updated On:
Products
Issue/Introduction
VIP Enterprise Gateway validation fails with "Residual Password failed for user [vipuser]....Sending Access-Reject for user [vipuser] , reason=3; Incorrect LDAP Password." with multiple users after ruling out invalid user password and VIP security code.
Error: Sending access-reject for user xxxx. reason=3, incorrect LDAP password. WARNING detected a possible shared-secret mismatch.
Cause
- Invalid special character in the shared secret.
- The end-users LDAP password is expired or set to expire
Resolution
- If all validations are failing with the error, update the shared secret password on the Validation Servers and NAS/source.
- Invalid special character in the shared secret.
The RADIUS shared secret may contain invalid special characters. This includes ^ = & "
To test, create (or duplicate) a new Validation Server with the same settings as the problematic validation server. Set it to use an unused port, then start the service. Use the VSRADIUSCLIENT_TEST.EXE tool to duplicate the issue (this requires using the plaint-text shared secret). If it fails, replace it with a new shared secret and retest. Once successful, update the shared secret in the original Validation Server and on the NAS/application. The test Validation Server can safely be deleted when testing is complete.
- The end-user LDAP password is expired or set to expire
During the VIP EGW User Store lookup, LDAP returns a message that the user's password has expired, needs to be changed, etc.
Have the end-user change their password and verify they can log into an AD resource successfully. If necessary, allow the password change to propagate in AD.
Feedback
