Anonymous_User Absent Member.
Absent Member.
541 views

Change password with limited grace logins?


So we have a UP policy that gives the user 2 grace logins (due to auth
issues with NAM and IDM UserApp)
But since we're using SSPR3 (or trying to) now, I figured this would go
away, but it seems to be worse.

User logs into NAM with expired password (grace login gets decremented
from 2 to 1).
NAM SSO's to the SSPR interface (grace login gets decremented from 1 to
0)

I set SSPR to not require the password when expired.
So user enters NEW password.

The issue:

We require unique passwords, and it seems SSPR doesn't detect that the
password was previously used, until after you submit (okay maybe fine?)
But then, you've consumed all your grace logins and SSPR won't let you
back to the change password screen to enter a new/different password so
you have to call the helpdesk to have them re-up your grace logins or
re-set the password again.

Is there a way to configure SSPR (or is this an eDir/NMAS setting) so
that you can be allowed to enter a different password instead of the
"one shot" approach?


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50241

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Change password with limited grace logins?


kjhurni;241921 Wrote:
> So we have a UP policy that gives the user 2 grace logins (due to auth
> issues with NAM and IDM UserApp)
> But since we're using SSPR3 (or trying to) now, I figured this would go
> away, but it seems to be worse.
>
> User logs into NAM with expired password (grace login gets decremented
> from 2 to 1).
> NAM SSO's to the SSPR interface (grace login gets decremented from 1 to
> 0)
>
> I set SSPR to not require the password when expired.
> So user enters NEW password.
>
> The issue:
>
> We require unique passwords, and it seems SSPR doesn't detect that the
> password was previously used, until after you submit (okay maybe fine?)
> But then, you've consumed all your grace logins and SSPR won't let you
> back to the change password screen to enter a new/different password so
> you have to call the helpdesk to have them re-up your grace logins or
> re-set the password again.
>
> Is there a way to configure SSPR (or is this an eDir/NMAS setting) so
> that you can be allowed to enter a different password instead of the
> "one shot" approach?


Hmm, this appears to be an issue with front-ending SSPR with NAM

If I go directly (bypass NAM) I get the nice red wording that says
password is previously used.
If I go through NAM/AG, then it doesn't show up

However, it seems that when SSPR checks the password, it also decrements
the grace login count.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50241

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.