CyberArk and RSA Authentication Manager integration is unable to perform password change for RSA Security Console user ID

3 years ago

Originally Published: 2017-05-22

Article Number

000049996

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:
Platform (Other): CyberArk Vault, CyberArk Privileged Account Security

Issue

The CyberArk Central Policy Manager (CPM) plugin for RSA Authentication Manager supports remote password management for the following types of RSA
privileged users:

RSA Security Console Administrators.

When attempting to perform a password update, the following error is seen in CyberArk logs*.

PluginWrapper :: printResultsToLog() --> Message = Verify process failed - Targe account - invalid username or bad password.

No entries are seen in the Authentication Manager Real-Time Authentication log

* It's important to note that CyberArk uses the RSA Administration API to perform password updates.

Cause

The cause of this issue was that the user in question was in Password Change Mode. It appears that CyberArk can update a password, but is not capable of responding to the password change prompts.

The RSA Security Console Administrator UserID had set the policy to Require user to change password at next logon.

Resolution

Login to the RSA Security Console.
Lookup the user (Identity > User > Manage Existing).
When the user is resturned, click on the arrow next to the user mane and select Edit.
Remove the check box next to the option to Require user to change password at next logon.
Click Save.

Don't see what you're looking for?

Related Articles

Trending Articles