Tech Tip : CA Single Sign-On : Force Password Change Sometimes does Not Work

Document created by Osarobo_Idehen Employee on Apr 7, 2017
Version 1Show Document
  • View in full screen mode

Issue:


When a user is forced to change his password. He is redirected to the change password page. Once submit old/new password we are getting the following errors in the policy server traces:

 

[03/14/2017][14:37:18.115][14:37:18][2284][2984][plugin_AD.cpp:451][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-00880] (SetUserProp) DN: 'xxyyzz', PropName: 'unicodePwd', PropValue: '****' . Status: Error 19 . Constraint Violation][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Environment:

 

Policy Server Version: 12.51; Update: 00.00; Build: 905; CR: 00; on Windows 2008 R2

Cause:


Enhanced AD integration is enabled, which means that the AD password policy was being applied to the user. There was no password policy defined for the User Directory in Siteminder.

In AD Policy, the minimum password age was set to 1 day which, in this case, did not permit the password change as the password was not older than 1 day.

Resolution:


You have to modify AD password policy as per your needs as product is working as designed and trust AD to manage password change (Enhanced AD integration is enabled)

Additional Information:


If there are other constraints on the AD policy you may have the same error message and users will not be able to change their password.

 

 

KD: TEC1730092

Attachments

    Outcomes