Force Password Change Sometimes does Not Work

book

Article ID: 6331

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When a user is forced to change  his password. He is redirected to the change password page. Once submit old/new password we are getting the following errors in the policy server traces:

[03/14/2017][14:37:18.115][14:37:18][2284][2984][plugin_AD.cpp:451][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-00880] (SetUserProp) DN: 'xxyyzz', PropName: 'unicodePwd', PropValue: '****' . Status: Error 19 . Constraint Violation][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Cause

Enhanced AD integration is enabled, which means that the AD password policy was being applied to the user. There was no password policy defined for the User Directory in Siteminder.

In AD Policy, the minimum password age was set to 1 day which, in this case  did not permit the password change as the password was not older than 1 day.

Environment

Policy Server Version: 12.51; Update: 00.00; Build: 905; CR: 00; on Windows 2008 R2

Resolution

You have to modify AD password policy as per your needs as product is working as designed and trust AD to manage password change (Enhanced AD integration is enabled)

Additional Information

If there are other constaints on the AD policy you may have the same error message and users will not be able to change their password.