000027895 - Password change fails for users in an external identity source via Self-Service Console in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Jan 8, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000027895
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
3rd-party Product: Microsoft Active Directory
IssueUsers from an external identity source encounter the following error when changing their password in the Self-Service Console via the Forgot Your Password link:
 
There was a problem processing your request.
The operations failed because an identity source is read-only. Please contact your System Administrator


The /opt/rsa/am/server/logs/imsTrace.log shows the following error:
2014-10-17 14:22:45,146, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (RequestHandlerImpl.java:1527), trace.com.rsa.ucm.internal.request.impl.RequestHandlerImpl, ERROR, testAM81pri.kangnet.local,,,,ReasonKey[UCM_INVALID_ARGUMENT_EXCEPTION]
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
        at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
        at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
        at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
        at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
        at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
CauseThe configured LDAP has read-only access.
Resolution

This is functioning as designed as documented on page 115 of the RSA Authentication Manager 8.1 Administrator·s Guide, where it states that 
LDAP users are not able to change their password via the Forgot Your Password link in the Self-Service Console.

Users can change their passwords when prompted during authentication, not when requested with the Forgot Your Password link.
It will prompt to change password when one of the following conditions applies in LDAPS configuration:



  • The user's password has expired.
  • An Authentication Manager administrator has edited the user's user record to force a password change by checking the Require the user to change password at next logon box (Identity > Users > Manage Existing > Select a user > Click Edit in the context menu).
  • The LDAP directory is configured to require the user to reset the password the next time the user authenticates.
Workaround
  • Administrators can manually change an LDAP user's password in the Security Console.
  • Users in the internal database can change their password via the Self-Service Console.
  • Configure LDAP with a secure connection.
  • The LDAPS Connection test is successful in the Operations Console.
  • The Forgot Your Password link is checked.
  • In the Security Console,

  1. Click Setup > Self-Service Settings.
  2. On the Settings page, under Customization, click Enable or Disable Self-Service Features
  3. Under Set Display Options for Self-Service Console - Home Page, the Forgot Your Password link is checked.

Attachments

    Outcomes