000011728 - Error: "Password policy not satisfied" when using the RSA Authentication Manager 7.1 SDK

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000011728
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager SDK
RSA Version/Condition:  7.1
IssueWhen using the AdminAPIDemos.cs and the AdminAPIDemos.java, the following error is seen:
Error: Password policy not satisfied
   at com.rsa.command.SOAPCommandTarget.executeCommand(TargetableCommand command)
   at com.rsa.command.TargetableCommand.execute(CommandTarget target)
   at com.rsa.command.TargetableCommand.execute()
   at com.rsa.samples.admin.AdminAPIDemos.updateUser(PrincipalDTO user)
   at com.rsa.samples.admin.AdminAPIDemos.doUpdate()
   at com.rsa.samples.admin.AdminAPIDemos.Main(String[] args)
CauseThis error may generated if you run the AdminAPIDemos sample with the "update" option more than once.

This is actually the expected behavior on a default RSA Authentication Manager 7.1 system.  A default Authentication Manager 7.1 system has a password policy which is configured to disallow the last three passwords being re-used.  If you run the sample code a number of times these may be the actions you are carrying out:

  • Create user "jdoe" with password "Password123!"
  • Update user "jdoe" and change password to "MyNewP4ssW0rD1!"
  • Update user "jdoe" and change password to "MyNewP4ssW0rD1!"       
This second update would usually cause an exception, as this password has already been used.
ResolutionThe sample code demonstrates how to avoid this error.  If you run the sample code with the "disable" option this will disable this password feature and allow the same password to be set repeatedly.  This same option may be set in the Security Console by an administrator with the appropriate privilege by selecting Authentication > Policies Password Policies >Manage Existing, then select to edit (using the context sensitive menu) the policy which is marked as the default policy and look at the Restrict Re-Use values under Lifetime.

If the sample code is run with the "disable" option then it will set this value to "Users can re-use any previous password."

Note:  The sample will not switch the setting back to the default, so after running the API sample make sure that you use the Security Console to review and reset the value to match your own company policy.  The default value is that users may not re-use the last three passwords.

Legacy Article IDa44614