Article Number
000035186
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:
Platform (Other): CyberArk Vault, CyberArk Privileged Account Security
Issue
The CyberArk Central Policy Manager (CPM) plugin for RSA Authentication Manager supports remote password management for the following types of RSA
privileged users:
- RSA Security Console Administrators.
When attempting to perform a password update, the following error is seen in CyberArk logs*.
PluginWrapper :: printResultsToLog() --> Message = Verify process failed - Targe account - invalid username or bad password.
No entries are seen in the Authentication Manager Real-Time Authentication log
* It's important to note that CyberArk uses the RSA Administration API to perform password updates.
Cause
The cause of this issue was that the user in question was in Password Change Mode. It appears that CyberArk can update a password, but is not capable of responding to the password change prompts.
The RSA Security Console Administrator UserID had set the policy to Require user to change password at next logon.
Resolution
- Login to the RSA Security Console.
- Lookup the user (Identity > User > Manage Existing).
- When the user is resturned, click on the arrow next to the user mane and select Edit.
- Remove the check box next to the option to Require user to change password at next logon.
- Click Save.
