tschloesser
New Member.
1117 views

Forgotten PAssword and Password Expiration Time


Hi,

When a users password expiration time is reached the forgotten password
service runs into error 5026 after the user has entered the correct
challange answer.

As soon as we manually change the password expiration time to the future
everything is working as designed.

I was able to run though the descriped scenario in a demo lab - but I
can not get it to work in the current environment.

Unfortunally this is a show stopper since the customer needs a
solutution that enables users to set a new password if the password
expiration time is reached.

I guess I might be only a question of rights assignments, is it not?

Currently we are running everything under IDM 4.5.1
- SLES 11 SP3
- edir 8.8.8.5
- IDM 4.5.1
- sspr 3.2.0.3

Any hints?

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=53603

0 Likes
10 Replies
tschloesser
New Member.

Re: Forgotten PAssword and Password Expiration Time


Found the solution.

The User changing the password needs Rights to write the password
expiration time on his own object. After assigning this right through
..THIS. everything is working as designed.

I was hoping that the proxy user would be responible for the changes -
this one has supervisor rights to all users - but unfortunally this is
not the case!


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=53603

0 Likes
Knowledge Partner
Knowledge Partner

Re: Forgotten PAssword and Password Expiration Time

Did you try giving the user grace logins instead? If their password is
expired then they should no longer be able to login at all, unless the
administrator has made that login possible via grace logins. If they had
some, but those were consumed getting into the SSPR application then they
likely need more.

Giving the user the ability to modify their own expiration time seems like
the wrong fix since, at least if they are logging via NDS Login
perpetually (less-likely, but possible in many environments via other
applications) they could extend their password's lifetime indefinitely. A
login via NMAS will recalculate the expiration, but an attacker will
probably know that and avoid logging in that way as long as possible.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
tschloesser
New Member.

Re: Forgotten PAssword and Password Expiration Time


Hi Aaron,

agreed, assigning thise rights is far away from an solution - but ist
was the only quick-fix possible.
I will tray to saaign Rights to grace logins instead, but this is not
much better, since the user could extend the time able to login with an
unchanged password as well

I have opend a service request on this issue and the first response was
the questin to close the SR according to the fact I found a solution. I
stated there that I can not accept such a solution.

But back to the case: First off all: We do not want allow grace logins,
second: the customer needs a solution where useres can reanable thier
login after the password expiration time is reached. According to
admiinstration this is much more likely than a standat forgotten
password.

I was hoping that sspr could help here - but mybe this will only be
possible by filing in an enhancement request - or live with the "rights
fix" in the identity vault .-(

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=53603

0 Likes
Knowledge Partner
Knowledge Partner

Re: Forgotten PAssword and Password Expiration Time

On 06/05/2015 06:34 AM, tschloesser wrote:
>
> agreed, assigning thise rights is far away from an solution - but ist
> was the only quick-fix possible.
> I will tray to saaign Rights to grace logins instead, but this is not
> much better, since the user could extend the time able to login with an
> unchanged password as well


Both options treat the symptom and ignore the problem. This does not work
in any industry.

> But back to the case: First off all: We do not want allow grace logins,
> second: the customer needs a solution where useres can reanable thier
> login after the password expiration time is reached. According to


Being able to re-enable one's password after it is expired is exactly what
grace logins are for. Wanting one without the other does not make sense
to me, but both are essentially relaxing security on a user who is
breaking the rules (by allowing their password to expire (the real
problem)). The usual next response is about how the user did not know the
password would expire ahead of time. Because this is possible, grace
logins were invented to give users a quick, last chance to change their
password during the first login(s) after their password was expired.

Just like an account becoming expired, a password becoming expired is the
organization's way of stating it should not be used anymore, but now you
are adding ways (grace logins, letting the user change their own
expiration time) to let individual users bypass the organization's policy.
If the user needs to know about the organization's lack of allowance of
the old password ahead of time (to prevent the need for grace logins),
then the organization should tell them about this ahead of time,
preferably via something that can be tracked (e-mails are common). Adding
a password notification service as part of IDM, or from a CoolSolution
(there are a couple), or with your own home-grown app/script, is trivial,
and lets users know about passwords before they expire. If they then
ignore the requirements to change passwords ahead of time, they can be
told to tell (for example) have their manager reset their password after
it is expired. The manager can then find out why they ignored the (three
usually) e-mails leading up to expiration, which often prevents further
problems. This approach treats the problem (password becoming expired per
org policy) rather than symptoms (user not able to login).

> I was hoping that sspr could help here - but mybe this will only be
> possible by filing in an enhancement request - or live with the "rights
> fix" in the identity vault .-(


SSPR can definitely be used for regular password change events, not just
forgotten password situations. It also has Helpdesk functionality so that
your helpdesk users can reset others' passwords when they ignore
notifications about expiration approaching, or they forget current
passwords, or whatever.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
tschloesser
New Member.

Re: Forgotten PAssword and Password Expiration Time


Hi Aaron,

you are right, and we are planing to introduce a password notification
service together with sspr.

The problem is that the customer thinks that most of his userers will
ignore all warnings and usially the users (students) will use the
service not before they recognize they are unable to login anymore. When
I was testing sspr (with an administrative user) where I manually set
loginexpiration time to the past and grace logins remaining to "0" sspr
was working. So we were happy to use it with regular users.

Unfortunally this did not work. I will tray to configure the pwd policy
to allow at least one grace login and test if this would work without
assigning more rights to the individual user.

Thanks,

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=53603

0 Likes
Knowledge Partner
Knowledge Partner

Re: Forgotten PAssword and Password Expiration Time

On 6/5/2015 8:34 AM, tschloesser wrote:
>
> Hi Aaron,
>
> agreed, assigning thise rights is far away from an solution - but ist
> was the only quick-fix possible.
> I will tray to saaign Rights to grace logins instead, but this is not
> much better, since the user could extend the time able to login with an
> unchanged password as well
>
> I have opend a service request on this issue and the first response was
> the questin to close the SR according to the fact I found a solution. I
> stated there that I can not accept such a solution.
>
> But back to the case: First off all: We do not want allow grace logins,
> second: the customer needs a solution where useres can reanable thier
> login after the password expiration time is reached. According to
> admiinstration this is much more likely than a standat forgotten
> password.
>
> I was hoping that sspr could help here - but mybe this will only be
> possible by filing in an enhancement request - or live with the "rights
> fix" in the identity vault .-(


Is the option, (somewhere, so many menus) to allow a user to unlock,
instead of resetting? I.e. They do Challenge/Response via forgotten
password, and thenn when it is time to reset the password they get an
option to just clear Locked By Intruder? Now I am not sure if THEY need
permissions (Which would be mad) or if the Proxy user model will work.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Forgotten PAssword and Password Expiration Time

On 6/5/2015 12:34 PM, Geoffrey Carman wrote:
> On 6/5/2015 8:34 AM, tschloesser wrote:
>>
>> Hi Aaron,
>>
>> agreed, assigning thise rights is far away from an solution - but ist
>> was the only quick-fix possible.
>> I will tray to saaign Rights to grace logins instead, but this is not
>> much better, since the user could extend the time able to login with an
>> unchanged password as well
>>
>> I have opend a service request on this issue and the first response was
>> the questin to close the SR according to the fact I found a solution. I
>> stated there that I can not accept such a solution.
>>
>> But back to the case: First off all: We do not want allow grace logins,
>> second: the customer needs a solution where useres can reanable thier
>> login after the password expiration time is reached. According to
>> admiinstration this is much more likely than a standat forgotten
>> password.
>>
>> I was hoping that sspr could help here - but mybe this will only be
>> possible by filing in an enhancement request - or live with the "rights
>> fix" in the identity vault .-(

>
> Is the option, (somewhere, so many menus) to allow a user to unlock,
> instead of resetting? I.e. They do Challenge/Response via forgotten
> password, and thenn when it is time to reset the password they get an
> option to just clear Locked By Intruder? Now I am not sure if THEY need
> permissions (Which would be mad) or if the Proxy user model will work.


I re-read that and I think I hit the wrong point.

But back to Password Expiration... If you do a password change, I
thought NMAS was what changed the expiration date, not your user rights
specifically.


0 Likes
tschloesser
New Member.

Re: Forgotten PAssword and Password Expiration Time


Hi,

in case of the "old" password self service you were right. All password
ragarding processes were using NMAS - but sspr does not. I guess it's
because of the fact that sspr is a general service which can be used
against different repositories, so NMAS is not used deeply. SSPR for
example can store challenges in eDir, but not in the users secret
store.

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=53603

0 Likes
Knowledge Partner
Knowledge Partner

Re: Forgotten PAssword and Password Expiration Time

On 06/09/2015 12:44 AM, tschloesser wrote:
>
> in case of the "old" password self service you were right. All password
> ragarding processes were using NMAS - but sspr does not. I guess it's


If you configure it that way, true, but SSPR has the option to use the
NMAS-based Challenge Set just like the older tools did, as well as being
able to use an outside store (its LocalDB option, or custom schema added
to an object in eDirectory or even microsoft active directory (MAD), or an
LDAP environment).

> because of the fact that sspr is a general service which can be used
> against different repositories, so NMAS is not used deeply. SSPR for


Per your choice.

> example can store challenges in eDir, but not in the users secret
> store.


The SecretStore has never been used by challenge/response, but as
mentioned above the attributes that NMAS uses to store challenge/response
information can be used by SSPR; it understands, and will use, the NMAS
calls. Whether or not you want to do that is up to you.

In your case you should never need to grant rights to individual users to
change their own accounts in the ways you have described. It is a
security violation, and needing to do that would be horrid. On the other
hand, if you are using a proxy user then perhaps it will need some rights
which have hitherto been missing. On the other hand, I'm pretty sure that
SSPR does not reach out and extend grace logins just before trying to do
an authentication as a user, as that too would be pretty odd.

The next step, I think, is to troubleshoot the root cause by getting an
LDAP trace from the backend to see what is really happening in both the
success and failure cases. Maybe eDirectory handles users differently
based on their rights to themselves, but I doubt it (quick testing says
'no'). An LDAP trace from ndstrace will give us some quick feedback and
remove the middle man (SSPR) from the equation as much as possible, while
still using it to perform the logins.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
tschloesser
New Member.

Re: Forgotten PAssword and Password Expiration Time


Hi Aaron,

I will dive deeper in the config to find out whre to configure to use
NMAS attributes to store NMAS challenges. So far I saw so far according
the callange answers it was only a choice between Storing it in a DB or
an new LDAP-Attribute.

According to the main topic of this thread you are right! It is no
option to assign so much rights to an individual user - that's why I
opend a SR on this one. Finally we came up with the solution to enable
Grace logins. As long as the "Grace Logins" Attribute is >0 the user is
able to use the forgotten password service even if the password is
expired. This does even work if the Grace logins remaining are equal 0 !


Tho the solution is quite simple: Enable Grace Logins and no additional
User rights have to be assigned 😉


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=53603

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.