VIP Enterprise Gateway Error: Residual Password failed for user. reason=3; Incorrect LDAP Password
search cancel

VIP Enterprise Gateway Error: Residual Password failed for user. reason=3; Incorrect LDAP Password

book

Article ID: 256038

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

VIP Enterprise Gateway validation fails with "Residual Password failed for user [vipuser]....Sending Access-Reject for user [vipuser] , reason=3; Incorrect LDAP Password." with multiple users after ruling out invalid user password and VIP security code. 

Error: Sending access-reject for user xxxx. reason=3, incorrect LDAP password. WARNING detected a possible shared-secret mismatch. 

Cause

- Invalid special character in the shared secret. 

- The end-users LDAP password is expired or set to expire

Resolution

- If all validations are failing with the error, update the shared secret password on the Validation Servers and NAS/source. 

- Invalid special character in the shared secret. 

The RADIUS shared secret may contain invalid special characters. This includes ^ = & "

To test, create (or duplicate) a new Validation Server with the same settings as the problematic validation server. Set it to use an unused port, then start the service. Use the VSRADIUSCLIENT_TEST.EXE tool to duplicate the issue (this requires using the plaint-text shared secret). If it fails, replace it with a new shared secret and retest. Once successful, update the shared secret in the original Validation Server and on the NAS/application. The test Validation Server can safely be deleted when testing is complete. 

- The end-user LDAP password is expired or set to expire

During the VIP EGW User Store lookup, LDAP returns a message that the user's password has expired, needs to be changed, etc.

Have the end-user change their password and verify they can log into an AD resource successfully. If necessary, allow the password change to propagate in AD.