This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Announcements
SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
- RSA Community
- :
- Products
- :
- SecurID
- :
- Knowledge Base
- :
- Password change fails for users in an external identity source via Self-Service Console in RSA Authe...
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Password change fails for users in an external identity source via Self-Service Console in RSA Authentication Manager 8.x
Article Number
000027895
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
3rd-party Product: Microsoft Active Directory
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
3rd-party Product: Microsoft Active Directory
Issue
Users from an external identity source encounter the following error when changing their password in the Self-Service Console via the Forgot Your Password link:
The /opt/rsa/am/server/logs/imsTrace.log shows the following error:
There was a problem processing your request.
The operations failed because an identity source is read-only. Please contact your System Administrator
The operations failed because an identity source is read-only. Please contact your System Administrator
The /opt/rsa/am/server/logs/imsTrace.log shows the following error:
2014-10-17 14:22:45,146, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (RequestHandlerImpl.java:1527), trace.com.rsa.ucm.internal.request.impl.RequestHandlerImpl, ERROR, testAM81pri.kangnet.local,,,,ReasonKey[UCM_INVALID_ARGUMENT_EXCEPTION]
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Cause
The configured LDAP has read-only access.
Resolution
This is functioning as designed as documented on page 115 of the RSA Authentication Manager 8.1 Administrator·s Guide, where it states that
LDAP users are not able to change their password via the Forgot Your Password link in the Self-Service Console.
Users can change their passwords when prompted during authentication, not when requested with the Forgot Your Password link.
It will prompt to change password when one of the following conditions applies in LDAPS configuration:
- The user's password has expired.
- An Authentication Manager administrator has edited the user's user record to force a password change by checking the Require the user to change password at next logon box (Identity > Users > Manage Existing > Select a user > Click Edit in the context menu).
- The LDAP directory is configured to require the user to reset the password the next time the user authenticates.
Workaround
- Administrators can manually change an LDAP user's password in the Security Console.
- Users in the internal database can change their password via the Self-Service Console.
- Configure LDAP with a secure connection.
- The LDAPS Connection test is successful in the Operations Console.
- The Forgot Your Password link is checked.
- In the Security Console,
- Click Setup > Self-Service Settings.
- On the Settings page, under Customization, click Enable or Disable Self-Service Features.
- Under Set Display Options for Self-Service Console - Home Page, the Forgot Your Password link is checked.
Tags (41)
- 8.x
- AM
- Appliance
- Auth Manager
- Authentication Manager
- Break Fix
- Break Fix Issue
- Broken
- CLI
- CLI Error
- CLI Issue
- CLI Problem
- Command Line
- Command Line Error
- Command-Line
- Command-Line Issue
- Console
- Console Error
- Console Issue
- Console Problem
- Customer Support Article
- Error
- Error Message
- Issue
- Issues
- KB Article
- Knowledge Article
- Knowledge Base
- Problem
- RSA AM
- RSA Auth Manager
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Suite
- SecurID
- SecurID Access
- SecurID Appliance
- SecurID Suite
- Version 8
- Version 8.x
No ratings
