jameswatson3 Absent Member.
Absent Member.
1781 views

New Password Does not Meet Rule Requirements - Undefined


Running SSPR 3.3.0.1 on Win2012R2

Baffled by inability to change passwords on a small subset of users in
AD. Help Desk currently using SSPR successfully to change passwords on
vast majority of users in our directory. I'm hoping I've got the
blinders on and am missing something obvious but am stumped at this
point.

When attempting pw change from HelpDesk module, the target user
successfully shows the correct profile in "Password Policy." That
specific policy contains default values.

Attempting to change the password returns:

"New password does not meet rule requirements

undefined"

Reviewing the log at trace level does not reveal anything when searching
for "undefined"

I'm happy to paste the log of the trace here or on onedrive if it is
safe to do so (the log file, not the config file which I realize
contains credentials)

Any suggestions how to troubleshoot this further?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=55409

0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: New Password Does not Meet Rule Requirements - Undefined

Does it return when you submit the new password, or is this before you
send the password, meaning SSPR itself is doing the calculation? I
presume the latter.

Is SSPR able to view all of the password policy information in the MAD
environment, or could its own proxy user lack rights there? Have you
tried using a proxy user that is an administrator to rule out rights
issues in MAD?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: New Password Does not Meet Rule Requirements - Undefined


jameswatson3;265403 Wrote:
> Running SSPR 3.3.0.1 on Win2012R2
>
> Baffled by inability to change passwords on a small subset of users in
> AD. Help Desk currently using SSPR successfully to change passwords on
> vast majority of users in our directory. I'm hoping I've got the
> blinders on and am missing something obvious but am stumped at this
> point.
>
> When attempting pw change from HelpDesk module, the target user
> successfully shows the correct profile in "Password Policy." That
> specific policy contains default values.
>
> Attempting to change the password returns:
>
> "New password does not meet rule requirements
>
> undefined"
>
> Reviewing the log at trace level does not reveal anything when searching
> for "undefined"
>
> I'm happy to paste the log of the trace here or on onedrive if it is
> safe to do so (the log file, not the config file which I realize
> contains credentials)
>
> Any suggestions how to troubleshoot this further?



Try doing the same change using ADUC as the helpdesk user (or proxy user
if helpdesk proxy user is enabled) and see if you get a better error
message. AD LDAP password error messages sometimes aren't very
descriptive.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=55409

0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: New Password Does not Meet Rule Requirements - Undefined


SSPR checks the password validity against the rules, declares it
matching and then allows me to submit the request. At that point I get
the error.

The default LDAP profile includes an LDAP Proxy User. That user is a
member of Account Operators and has been tested to be able to change
these specific passwords in ADUC. This is what the Help Desk module is
using I'm presuming and it is able to change all other staff and
students in our environment. Only these utility accounts (in the same
directory tree path) are throwing the error.

There is effectively no domain password policy in AD. Passwords have
traditionally been managed by connected identity management systems and
synchronized to AD. So in this case as well, the Password Policy Source
is "Local".

Does this shed any additional light?


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=55409

0 Likes
Knowledge Partner
Knowledge Partner

Re: New Password Does not Meet Rule Requirements - Undefined

jameswatson3 <jameswatson3@no-mx.forums.microfocus.com> wrote:
>


The default LDAP profile includes an LDAP Proxy User. That user is a
member of Account Operators and has been tested to be able to change
these specific passwords in ADUC.

So you are saying that the same password can be set on other user objects
in AD?
You haven't said that you have tested setting via ADUC the exact same
password on the problematic user using the same proxy account to actually
set the password

> This is what the Help Desk module is

using I'm presuming and it is able to change all other staff and
students in our environment. Only these utility accounts (in the same
directory tree path) are throwing the error.

Are there portions of the utility account name in the proposed password?

> There is effectively no domain password policy in AD. Passwords have

traditionally been managed by connected identity management systems and
synchronized to AD.

Is AD password complexity on or off?
Is there any history tracked for passwords

There are a lot of guesses in what you are saying I suggest you verify each
step, starting with trying to set same password manually on the problem
account.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: New Password Does not Meet Rule Requirements - Undefined


Further testing seems to indicate that it is not using a the proxy
account like I thought. Under the same Help Desk Profile, if I login to
SSPR as a domain admin, I can change the password, but when logging in
as myself I can't. That reflects AD permissions.

Hopefully this is a much simpler question that I should have answered
during installation. Sorry to ask a RTFM question but do you know off
the top of your head where to set SSPR to use the proxy account for the
HelpDesk module? I thought I had already done that but must be mistaken.


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=55409

0 Likes
jameswatson3 Absent Member.
Absent Member.

Re: New Password Does not Meet Rule Requirements - Undefined


Found it!

"Use Proxy Connection" is not set by default in the Help Desk Profile.
That took care of it.

Thanks for the help. Turned out to be a silly question but at least got
to practice my troubleshooting. Thanks again to everybody.


--
jameswatson3
------------------------------------------------------------------------
jameswatson3's Profile: https://forums.netiq.com/member.php?userid=565
View this thread: https://forums.netiq.com/showthread.php?t=55409

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.