000032280 - User gets a password change request for every login to RSA Adaptive Authentication (On Prem) Back Office after upgrading from version 6 to 7

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032280
Applies ToRSA Product Set: Adaptive Authentication (On Prem)
RSA Product/Service Type: Adaptive Authentication (On Prem)
RSA Version/Condition: 7.1
IssueAfter upgrading from Adaptive Authentication (on Prem) 6.0.2.1 SP3 P4 to Adaptive Authentication (on Prem) 7.1 P6, users cannot login to Back Office because the user will be prompted for a password change each time.
ResolutionThis is a known issue when upgrading Adaptive Authentication (on Prem) version 6.x to version 7.x. Back Office looks at the RSA_CORE.GEN_CONFIG_PARAM_VALUE table's PASSWORD_EXPIRATION_PERIOD column value and decides whether the user's password has expired.  When the value is either -1 or 0, change the value to 90. This will force user to change password after 90 days.
The password expiration period can be set one of two ways:
Using the AAOP Back Office webpage
  1. Log into the AAOP Back Office (http://<IP address:<port>/backoffice).
  2. Select the Administration tab, which resides on the blue banner between Policy Management and Customer Service.
  3. Select Back Office Applications from the list of components on the left-hand side of the screen.
  4.  In the first section, titled Authentication, enter a value (in days) for which the password will be valid before it expires.  A value of 90 would mean the password will expire after 90 days.
  5. Click Save.
  6. Click Publish.
  7. A new screen will be created.  Click on the Publish button, located at the bottom of the screen.  This returns you to the Administration tab.
Editing password expiration through SQL
  1. To see the current value stored in the database, run the following SQL query:                             
SELECT * FROM RSA_CORE.GEN_CONFIG_PARAM_VALUE WHERE GEN_CONFIG_PARAM_ID = (SELECT ID FROM RSA_CORE.GEN_CONFIG_PARAM 
WHERE name = 'PASSWORD_EXPIRATION_PERIOD' AND version='1');

  1. To set a new value, for example, of 90 days use the update command below:                        
UPDATE RSA_CORE.GEN_CONFIG_PARAM_VALUE SET VALUE='90' WHERE ID='40281d9a4f037dcc014f03846eaa001a' 
AND GEN_CONFIG_PARAM_ID='<value output in the command above>';

  1. After setting the new password expiration period, the current password for the user(s) should still be valid, and no further password expiration message will be displayed.

Attachments

    Outcomes