Anonymous_User Absent Member.
Absent Member.
615 views

Forgotten password not working right with NMAS


Assuming I've setup SSPR 3.0 correctly against eDir with existing NMAS
policies (password policies, forgotten password, etc.):

Apparently SSPR 3.0 is hard-coded to use recaptcha (you can't globally
turn it off, you can only use the selective "skip" parameter)?

So I setup the recaptcha stuff, but then ran into the proxy issue, and
seemed to fix that (at least the API errors went away)

Okay, so I go to the:
server/sspr

I click the Forgotten password

It asks me for my email and last name (fine)
I put the information in and click Search
I get the recpatcha
I input the info and click Verify

SSPR immediately takes me back to the "email/last name" page.

No acknowledgement that anything has been processed/sent, etc.

I did make sure I put the email server in the config setting

The debug logs indicate it's not liking the default tokens built into
SSPR for the email notifications?

Example:
Alert Notification <noreply@@SiteHost@>

(The documentation doesn't specifically state the above is invalid and
to replace it, nor does it state where to set the global variable:
"SiteHost")


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50159

0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Forgotten password not working right with NMAS


kjhurni;241505 Wrote:
> Assuming I've setup SSPR 3.0 correctly against eDir with existing NMAS
> policies (password policies, forgotten password, etc.):
>
> Apparently SSPR 3.0 is hard-coded to use recaptcha (you can't globally
> turn it off, you can only use the selective "skip" parameter)?
>
> So I setup the recaptcha stuff, but then ran into the proxy issue, and
> seemed to fix that (at least the API errors went away)
>
> Okay, so I go to the:
> server/sspr
>
> I click the Forgotten password
>
> It asks me for my email and last name (fine)
> I put the information in and click Search
> I get the recpatcha
> I input the info and click Verify
>
> SSPR immediately takes me back to the "email/last name" page.
>
> No acknowledgement that anything has been processed/sent, etc.
>
> I did make sure I put the email server in the config setting
>
> The debug logs indicate it's not liking the default tokens built into
> SSPR for the email notifications?
>
> Example:
> Alert Notification <noreply@@SiteHost@>
>
> (The documentation doesn't specifically state the above is invalid and
> to replace it, nor does it state where to set the global variable:
> "SiteHost")


Okay, so even after adjusting that, the catalina.out (debug mode)
indicates there's some sort of error (java-wise) with the recaptcha/NMAS
stuff for some reason.

> 2014-03-03 11:49:28, DEBUG, operations.CrService, {p} will attempt to
> read the following storage methods: ["LDAP","NMAS"] for user
> cn=jsmith0001,ou=Users,o=ext1 [10.10.1.10]
> 2014-03-03 11:49:28, WARN , pwm.CaptchaFilter, {p} error during captcha
> filter: Servlet execution threw an exception [10.10.1.10]
> javax.servlet.ServletException: Servlet execution threw an exception
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:313)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at password.pwm.CaptchaFilter.processFilter(CaptchaFilter.java:68)
> at password.pwm.CaptchaFilter.doFilter(CaptchaFilter.java:50)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at password.pwm.SessionFilter.processFilter(SessionFilter.java:238)
> at password.pwm.SessionFilter.doFilter(SessionFilter.java:83)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at password.pwm.GZIPFilter.doFilter(GZIPFilter.java:45)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> password.pwm.ApplicationModeFilter.doFilter(ApplicationModeFilter.java:63)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:761)
> Caused by: java.lang.NoClassDefFoundError:
> com.sun.net.ssl.internal.ssl.Provider
> at java.lang.J9VMInternals.verifyImpl(Native Method)
> at java.lang.J9VMInternals.verify(J9VMInternals.java:73)
> at java.lang.J9VMInternals.initialize(J9VMInternals.java:135)
> at
> password.pwm.util.operations.cr.NMASCrOperator$NMASCRResponseSet.cycle(NMASCrOperator.java:187)
> at
> password.pwm.util.operations.cr.NMASCrOperator$NMASCRResponseSet.<init>(NMASCrOperator.java:178)
> at
> password.pwm.util.operations.cr.NMASCrOperator$NMASCRResponseSet.<init>(NMASCrOperator.java:155)
> at
> password.pwm.util.operations.cr.NMASCrOperator.readResponseSet(NMASCrOperator.java:76)
> at
> password.pwm.util.operations.CrService.readUserResponseSet(CrService.java:330)
> at
> password.pwm.servlet.ForgottenPasswordServlet.loadResponsesIntoBean(ForgottenPasswordServlet.java:282)
> at
> password.pwm.servlet.ForgottenPasswordServlet.advancedToNextStage(ForgottenPasswordServlet.java:464)
> at
> password.pwm.servlet.ForgottenPasswordServlet.processSearch(ForgottenPasswordServlet.java:186)
> at
> password.pwm.servlet.ForgottenPasswordServlet.processRequest(ForgottenPasswordServlet.java:113)
> at password.pwm.servlet.TopServlet.handleRequest(TopServlet.java:83)
> at password.pwm.servlet.TopServlet.doPost(TopServlet.java:145)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> ... 25 more
> Caused by: java.lang.ClassNotFoundException:
> com.sun.net.ssl.internal.ssl.Provider
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1399)
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1245)
> ... 42 more
> 2014-03-03 11:49:28, DEBUG, pwm.CaptchaFilter, {p} session requires
> captcha verification, redirecting to Captcha servlet [10.10.1.10]
>



--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50159

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Forgotten password not working right with NMAS


And the plot thickens. If I create a brand new user and have them setup
their account (passwords/challenge/response) via SSPR then the Forgotten
Password works.

So I'm guessing that the SSPR 3.0 isn't integrating properly with
existing NMAS attributes, even though the docs say this is possible and
the setting is enabled.

I'm going to open an SR and we'll see what NetIQ has to say.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50159

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Forgotten password not working right with NMAS


1. If you remove the values for the public and private captcha keys,
recaptcha is not required or used. This is the default configuration.
So unless you enable it by configuring these settings, you shouldn't see
anything about captcha as a user.

2. If you share the debug trace of when the user tries to input the
token and it fails, that might help us troubleshoot the error.

3. The error exception you should is showing a missing class file for a
core Java class. This would suggest that there is something wrong with
your java installation, or that you are not using the Sun (now oracle)
JDK. You need to use the Oracle JDK for SSPR to work properly.

4. The @SiteHost@ macro is calculated automatically, but if it can't be
figured out or it is incorrect, you can override it by setting the Site
URL in Settings -> Application -> SiteURL. If the SiteURL can't be
auto-determined you will see a warning in the health display.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=50159

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Forgotten password not working right with NMAS


jrivard;241525 Wrote:
> 1. If you remove the values for the public and private captcha keys,
> recaptcha is not required or used. This is the default configuration.
> So unless you enable it by configuring these settings, you shouldn't see
> anything about captcha as a user.
>
> 2. If you share the debug trace of when the user tries to input the
> token and it fails, that might help us troubleshoot the error.
>
> 3. The error exception you should is showing a missing class file for a
> core Java class. This would suggest that there is something wrong with
> your java installation, or that you are not using the Sun (now oracle)
> JDK. You need to use the Oracle JDK for SSPR to work properly.
>
> 4. The @SiteHost@ macro is calculated automatically, but if it can't be
> figured out or it is incorrect, you can override it by setting the Site
> URL in Settings -> Application -> SiteURL. If the SiteURL can't be
> auto-determined you will see a warning in the health display.


Hi Jason

1) I was getting prompted for recaptcha without even configuring
anything. this is with the SSPR 3.0 code (no patches, etc.) You'd
actually get a little box with a broken image for the catpcha stuff. So
either there's a bug, or the docs are plain wrong. That's what required
me to setup recaptcha (since the default has the private/public keys
blanked out)

2) I posted the debug trace already. OR did you mean something
different? (LDAP trace?) The error for #3 is the same error as when an
existing user tries to use the forgotten password.

3) Yes, this is the sun java 1.7.51 JDK, i used the rpm installer. I
don't believe it's really a java issue, because:
If a new user is created in eDir and you use SSPR to set their password
and challenge/response, then you can use the "Forgotten Password" and it
works (well other than it totally ignores the UP setting and it doesn't
email you the password, it forces you to change it instead). IF you
take a new use and use IDM UserApp to set the password and
challenge/response and THEN use SSPR to "forgotten password" it seems it
fails to read the NMAS attributes and that's why it chokes.

From what I can tell: Using SSPR to set your answers/questions actually
writes them to the SAS Login secret stuff AND the PWM attributes, but it
seems that if you didn't have the PWM attributes populated (meaning the
values), then SSPR doesn't work with the Forgotten password. Thereby
telling me that it's not integrating with NMAS properly (further
evidenced by the fact that it's not reading the challenge/response
action that's defined in the UP setting which is: email the user's
password, instead it's forcing the user to change the password
instead).

IF, however, you believe it's a java issue, how do I go about verifying
the installation? I mean, everything else seems to be working fine (The
configuration thingy, the UI, etc.) The RPM from sun installation is
pretty straightforward. Just download and run the RPM.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50159

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Forgotten password not working right with NMAS


kjhurni;241565 Wrote:
> Hi Jason
>
> 1) I was getting prompted for recaptcha without even configuring
> anything. this is with the SSPR 3.0 code (no patches, etc.) You'd
> actually get a little box with a broken image for the catpcha stuff. So
> either there's a bug, or the docs are plain wrong. That's what required
> me to setup recaptcha (since the default has the private/public keys
> blanked out)
>
> 2) I posted the debug trace already. OR did you mean something
> different? (LDAP trace?) The error for #3 is the same error as when an
> existing user tries to use the forgotten password.
>
> 3) Yes, this is the sun java 1.7.51 JDK, i used the rpm installer. I
> don't believe it's really a java issue, because:
> If a new user is created in eDir and you use SSPR to set their password
> and challenge/response, then you can use the "Forgotten Password" and it
> works (well other than it totally ignores the UP setting and it doesn't
> email you the password, it forces you to change it instead). IF you
> take a new use and use IDM UserApp to set the password and
> challenge/response and THEN use SSPR to "forgotten password" it seems it
> fails to read the NMAS attributes and that's why it chokes.
>
> From what I can tell: Using SSPR to set your answers/questions actually
> writes them to the SAS Login secret stuff AND the PWM attributes, but it
> seems that if you didn't have the PWM attributes populated (meaning the
> values), then SSPR doesn't work with the Forgotten password. Thereby
> telling me that it's not integrating with NMAS properly (further
> evidenced by the fact that it's not reading the challenge/response
> action that's defined in the UP setting which is: email the user's
> password, instead it's forcing the user to change the password
> instead).
>
> IF, however, you believe it's a java issue, how do I go about verifying
> the installation? I mean, everything else seems to be working fine (The
> configuration thingy, the UI, etc.) The RPM from sun installation is
> pretty straightforward. Just download and run the RPM.


Okay, opened an SR. On a whim we applied the 3.0.0.2 patch. That
actually fixed the problem (although the docs are very wrong/incorrect
in their steps, so I had to redo it a couple of times because the steps
are out of order/wrong).

Second:
SSPR doesn't actually read the full NMAS Forgotten Password settings.
It completely ignores the "Action" section (as setup in iManager). This
is a bug/WAD. So you have to set this behavior in SSPR itself.

UNFORTUNATELY:
If you elect to have SSPR email the password to the user, it:
a) randomly generates a password and emails it
b) DOES NOT EXPIRE the password.

I'm not sure HOW this is possible since normal eDir/NMAS behavior is
that if anyone other than the user sets the password, it auto-expires
the password,so that the user is forced to change the password on the
next login (to avoid the Admin from setting the password and logging in
and gaining access to stuff without the user knowing about it).

I have no idea HOW SSPR is able to set the password (since the user
isn't authenticated, they "forgot" their password) but keep it with the
original expiration date.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50159

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.