|Applies To||RSA ClearTrust 5.5.2 Authorization Server (AServer)|
Microsoft Windows 2000 Professional SP4
Microsoft Active Directory
|Issue||RSA ClearTrust error while changing an Active Directory user password|
RSA ClearTrust API returns the following error:
[sirrus.api.client.ShouldNotOccurError: sirrus.api.client.OperationNotSupportedException: Active Directory is unwilling to save one of the changes you made to this user. Microsoft Support has some questions concerning the Admin API that we need help answering.
ClearTrust Entitlements Manager Returns the following error:
Active Directory is unwilling to save one of the changes you made to this user. Please ask your Active Directory Systems Administrator about any constraints placed on users.
|Cause||Active Directory returns the following error message:|
additional info: 0000052D: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0
The most likely cause of this error is an attempt to update an AD user password using a non SSL bind on port 389. AD requires that attempts to modify passwords be done only on a secure SSL bind on port 636. This error might also be thrown if the password does not adhere to the Domain password policy in effect for this user. For more information, see Microsoft's Web site at http://support.microsoft.com/default.aspx?scid=kb;en-us;290124.
|Resolution||To correct this issue, ensure that the SSL mode for the AD datastore is using SSL in the ldap.conf file by setting the following:|
Also, ensure that the password you are trying to set adheres to the Domain Password Policy for the Active Directory Domain.
|Workaround||An attempt is made to change or set the password for an Active Directory User|
|Legacy Article ID||a23916|