SSPR 5071 ERROR while access SSPR from user application (Only few users getting issue).


We are getting 5071 ERROR_OAUTH_ERROR  for few users accessing the SSPR from the user application.
I see few posts related to the SSPR 5071 error, but the issue we have is The 5071 ERROR_OAUTH_ERROR is coming only for few users most of the users are able to access the SSPR successfully but few user are getting the 5071 ERROR_OAUTH_ERROR.

Not able to understand why only few users are getting this issue. 

The catalina.out log show further details related to this issue:
(5026 ERROR_BAD_SESSION_PASSWORD (unable to authenticate with password read from directory, check proxy rights, ldap logs; error: 4006 PASSWORD_BADPASSWORD (unable to create connection: unable to bind to ldaps://localhost:636 as cn=123456,ou=test,ou=users,o=data reason:
[LDAP: error code 19 - Constraint Violation]))) []
ERROR, oauth.OAuthConsumerServlet, {30480} error during OAuth authentication attempt:

Not able to understand what is the root cause of the error, due to the multiple errors being showed in the logs 

I tried doing  the solutions which are specified in the earlier posts related to this issue - 5071 ERROR_OAUTH_ERROR
1. SSPR Proxy User rights to read the universal password are set
2. Delete SSPR cache files and restarted
3. Make sure the OAuth configuration defined in SSPR matches the configuration defined in IDM
4. Make sure the secrets shared between SSPR and OSP are correct

Since the issue is coming only for few users and not for all the users, I assume the root cause if totally different for the issue we are having.

Our environment:
Identity Manager AE
OSP - 6.1.6
SSPR v4.2.0.1
Operating System - WINDOWS 2012R2

Appreciate any help in trying to understand what might be the root cause of the issue.

1 Reply
Knowledge Partner
Knowledge Partner

Re: SSPR 5071 ERROR while access SSPR from user application (Only few users getting issue).

First obvious thought to explain why some users and not others, is to check the status of Universal Password on these users.

So get Console2 from http://sneakycat.biz or DumpUP from https://ldapwiki.com/wiki/DumpEdirectoryPasswordInformationTool


And on either look at the report for a user.  (C2 it is Retrieve Info, DumpUP is only this task) and see if they have anything odd about UP/Simple/NDS passwords about themselves.

Compare one who works and one who failsm perhaps smething will jump out at you?

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.