000027895 - Failing to change password via Self-service console in Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027895
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Linux
Platform (Other): null
O/S Version: Suse Linux 11
Product Name: RSA-0010810
Product Description: RSA-0010810
3rd-party Product: Microsoft Active Directory
IssueUsers from external Identity Source encountered an error when changing their password in self-service console via "forgot your password" link
"There was a problem processing your request.
The operations failed because an identity source is read-only. Please contact your System Administrator."
imsTrace.log shows as below:
2014-10-17 14:22:45,146, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (RequestHandlerImpl.java:1527), trace.com.rsa.ucm.internal.request.impl.RequestHandlerImpl, ERROR, testAM81pri.kangnet.local,,,,ReasonKey[UCM_INVALID_ARGUMENT_EXCEPTION]
   com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
           at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
           at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
           at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
           at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
           at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
           at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
           at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
           at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
           at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
           at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
           at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
           at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
           at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
           at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
           at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
           at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
           at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
CauseThe configured LDAP is Read-Only access
Resolution

This is functioning as designed as RSA Authentication Manager 8.1 Administrator·s Guide page 115 states.
LDAP users are not able to change their password via "Forgot your password" link in Self-service console.
Users can change their passwords when prompted during authentication, not when requested with "forgot your password" link.
It will prompt to change password when one of the following conditions applies in LDAPS configuration:
- The user's password has expired.
- An Authentication Manager administrator has edited the user's user record to force a password change by checking the Require the user to change password at next logon box (Identity > Users > Manage existing > Select a user and Click Edit in Context menu).
- The LDAP directory is configured to require the user to reset the password the next time the user authenticates.

Workaround
- Administrators can change LDAP user's password in Security Console manually

- Users in Internal database can change their password via Self-service console.
Configure LDAP with Secure Connection
LDAPS Connection test is successful in Operations Console
"Forgot Your Password link" is checked
In the Security Console, click Setup > Self-Service Settings > On the Settings page, under Customization, click Enable or Disable Self-Service Features >
Under Set Display Options for Self-Service Console - Home PageForgot Your Password Link is checked

Attachments

    Outcomes