000035186 - CyberArk and RSA Authentication Manager integration is unable to perform password change for RSA Security Console user ID

Document created by RSA Customer Support Employee on Jun 6, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035186
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 
Platform (Other): CyberArk Vault, CyberArk Privileged Account Security
IssueThe CyberArk Central Policy Manager (CPM) plugin for RSA Authentication Manager supports remote password management for the following types of RSA
privileged users: 

  • RSA Security Console Administrators.
When attempting to perform a password update, the following error is seen in CyberArk logs*. 
PluginWrapper :: printResultsToLog() --> Message = Verify process failed - Targe account - invalid username or bad password.

No entries are seen in the Authentication Manager Real-Time Authentication log
* It's important to note that CyberArk uses the RSA Administration API to perform password updates.
CauseThe cause of this issue was that the user in question was in Password Change Mode.  It appears that CyberArk can update a password, but is not capable of responding to the password change prompts.
The RSA Security Console Administrator UserID had set the policy to Require user to change password at next logon.
  1. Login to the RSA Security Console.
  2. Lookup the user (Identity > User > Manage Existing).
  3. When the user is resturned, click on the arrow next to the user mane and select Edit.
  4. Remove the check box next to the option to Require user to change password at next logon.
  5. Click Save.