Description:

Within the Policy Server error log (smps.log), what is the meaning of the following error message:

"[ERROR] Password Message could not be parsed"

Solution:

Sometimes, as in the case of a password change, the user's password is transformed into an encoded combination of old and new passwords. When performing an authentication, the policy server must determine if the password is really the encoded combination of multiple passwords or simply a plain password. For performance reasons this determination is only done when the challenge reason is not one of the following:

1. none (0)
   
   
2. expired session (4)
   
   
3. auth level to low (5)
   
   
4. next token code (28)
   
   
5. new pin select (29)
   
   
6. new pin system token code (30)
   
   
7. new user pin token code (31)
   
   
8. new pin accepted (32)

In all other cases, an attempt is made to decode the password field into separate components. When this attempt to decode fails, the message in question will appear in the logs. This message simply indicates that the password field does not contain information about the old and new password and should be treated as a regular password when generating the data structure used to track user credentials within the policy server.

If this error occurs while a user is performing a password change, it may indicate that the password data is being passed to policy server incorrectly. While doing a password change, the encoded combination of new and old password is used (as opposed to a regular login where only a plain password is being used).

There is no way to avoid this message from appearing in the logs. If the challenge reason for the request does not appear in the list above, an attempt will always be made to decode the password. If the attempt fails, it is of little consequence since all that will happen is the policy server will propagate the user credentials without a "new password" value.