000021608 - RSA ClearTrust error while changing an Active Directory user password

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021608
Applies ToRSA ClearTrust 5.5.2 Authorization Server (AServer)
Microsoft Windows 2000 Professional SP4
Microsoft Active Directory
IssueRSA ClearTrust error while changing an Active Directory user password
RSA ClearTrust API returns the following error:

[sirrus.api.client.ShouldNotOccurError: sirrus.api.client.OperationNotSupportedException: Active Directory is unwilling to save one of the changes you made to this user. Microsoft Support has some questions concerning the Admin API that we need help answering.
ClearTrust Entitlements Manager Returns the following error:

Active Directory is unwilling to save one of the changes you made to this user. Please ask your Active Directory Systems Administrator about any constraints placed on users.
CauseActive Directory returns the following error message:

additional info: 0000052D: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0

The most likely cause of this error is an attempt to update an AD user password using a non SSL bind on port 389. AD requires that attempts to modify passwords be done only on a secure SSL bind on port 636. This error might also be thrown if the password does not adhere to the Domain password policy in effect for this user. For more information, see Microsoft's Web site at http://support.microsoft.com/default.aspx?scid=kb;en-us;290124.
ResolutionTo correct this issue, ensure that the SSL mode for the AD datastore is using SSL in the ldap.conf file by setting the following:

    cleartrust.data.ldap.directory.ad-primary.ssl.use             :Auth

Also, ensure that the password you are trying to set adheres to the Domain Password Policy for the Active Directory Domain.
WorkaroundAn attempt is made to change or set the password for an Active Directory User
Legacy Article IDa23916

Attachments

    Outcomes