Password change fails for users in an external identity source via Self-Service Console in RSA Authentication Manager 8.x
Originally Published: 2014-10-19
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
3rd-party Product: Microsoft Active Directory
Issue
There was a problem processing your request.
The operations failed because an identity source is read-only. Please contact your System Administrator
The operations failed because an identity source is read-only. Please contact your System Administrator
The /opt/rsa/am/server/logs/imsTrace.log shows the following error:
2014-10-17 14:22:45,146, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (RequestHandlerImpl.java:1527), trace.com.rsa.ucm.internal.request.impl.RequestHandlerImpl, ERROR, testAM81pri.kangnet.local,,,,ReasonKey[UCM_INVALID_ARGUMENT_EXCEPTION]
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Cause
Resolution
This is functioning as designed as documented on page 115 of the RSA Authentication Manager 8.1 Administrator·s Guide, where it states that
LDAP users are not able to change their password via the Forgot Your Password link in the Self-Service Console.
Users can change their passwords when prompted during authentication, not when requested with the Forgot Your Password link.
It will prompt to change password when one of the following conditions applies in LDAPS configuration:
- The user's password has expired.
- An Authentication Manager administrator has edited the user's user record to force a password change by checking the Require the user to change password at next logon box (Identity > Users > Manage Existing > Select a user > Click Edit in the context menu).
- The LDAP directory is configured to require the user to reset the password the next time the user authenticates.
Workaround
- Administrators can manually change an LDAP user's password in the Security Console.
- Users in the internal database can change their password via the Self-Service Console.
- Configure LDAP with a secure connection.
- The LDAPS Connection test is successful in the Operations Console.
- The Forgot Your Password link is checked.
- In the Security Console,
- Click Setup > Self-Service Settings.
- On the Settings page, under Customization, click Enable or Disable Self-Service Features.
- Under Set Display Options for Self-Service Console - Home Page, the Forgot Your Password link is checked.
Related Articles
RSA Authentication Manager 8.x trusted realms not working (java.net.UnknownHostException) Number of Views User cannot change password with an error Read ONLY external database. Number of Views How to force the key to be not exportable in Mozilla / FireFox Number of Views Authentication Manager Log Messages (26111-26150) Number of Views The "User Cannot change the password" flag for Active Directory Account creation in RSA Identity Governance and Lifecycle … Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
