on 01-03-2006 7:48 AM
Hello,
I configured an ADS (flat) as userstore. The ADS is connected via LDAP over SSL (Port 636).
The users in the ADS are visible in the portal useradministration.
The administrator can create, delete and change the users. Also the administratror is able to change the passwords.
But if a user tries to logon, he's prompted to change his own password.
When the user tries to change the password he get's an "authentication failed".
In the default trace the following error appears:
#1.5#00145E1B20DE004A0000001D0000174C0004096F7BFB4C53#1136274333010#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence#Guest#116####ea8598407c2c11dab89a00145e1b20de#SAPEngine_Application_Thread[impl:3]_28##0#0#Error#1#/System/Security/Usermanagement#Java###DataSource : Can not change password#1#CORP_LDAP# #1.5#00145E1B20DE004A0000001E0000174C0004096F7BFB80BE#1136274333026#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=doLogon][cl=19621]#Guest#116####ea8598407c2c11dab89a00145e1b20de#SAPEngine_Application_Thread[impl:3]_28##0#0#Error##Java###doLogon failed [EXCEPTION] #1#javax.security.auth.login.LoginException: PASSWORD_EXPIRED
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoginException(SAPJ2EEAuthenticator.java:344)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:108)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:160)
Any suggestions?
Thanks and best regards,
Jens Wannenmacher
Hi,
Please check up if the following property in umeproperties is set to TRUE(I have shown the way the umeproperties is set)
This property allows all users to change their own password.
ume.logon.security_policy.password_change_allowed=TRUE
If it is so, then can you also confirm if only ldap users have this problem.
If that is not so,then change the value to TRUE and restart the Portal.
Do let us know more details about the configuration.
Regards,
Harish
(Award points for helpful answers)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jens,
Please see what SAP Note 673824.
"Due to security reasons it is only possible to create user or user accounts or change a password on Microsoft Active Directory server if you are using a SSL connection between the Enterprise Portal or SAP J2EE Engine and the directory server.
Additionally the "High Encryption Pack" for Windows 2000 to enable a 128 bit SSL encryption must be installed on the Microsoft Active Directory Server."
Regards,
Siva
P.S: Award points if you find this useful.
Hi Siva,
I applied the patch, now it tells "password expired" when trying to change. Logon is still not possible.
But on the ads-side there are no rules for password expiration.
the default trace shows the following:
#1.5#00145E1B20DE005E0000001100000DF8000409867C34A4C2#1136373120952#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence#Guest#116####ed4d24307d1211dac68900145e1b20de#SAPEngine_Application_Thread[impl:3]_3##0#0#Error#1#/System/Security/Usermanagement#Java###DataSource : Can not change password#1#CORP_LDAP# #1.5#00145E1B20DE004B0000000800000DF8000409867CF94983#1136373133842#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=20149]#Guest#116####f4f4d3e07d1211da860400145e1b20de#SAPEngine_Application_Thread[impl:3]_22##0#0#Error##Java###Can not change password [EXCEPTION] #1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
]; remaining name 'cn=test3'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1440)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)
at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.changePassword(LDAPPersistence.java:2708)
at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.updatePrincipalDatabag(LDAPPersistence.java:2957)
at com.sap.security.core.persistence.datasource.imp.LDAPDataSourceTransaction.commit(LDAPDataSourceTransaction.java:109)
at com.sap.security.core.persistence.imp.DistributedTransaction.commit(DistributedTransaction.java:1154)
at com.sap.security.core.imp.AbstractUserAccount.commit(AbstractUserAccount.java:1715)
at com.sap.security.core.server.userstore.UserInfoUME.engineSetPassword(UserInfoUME.java:428)
at com.sap.engine.services.security.userstore.context.UserInfo.setPassword(UserInfo.java:101)
at com.sap.engine.services.security.server.jaas.CheckAction.changePasswordIfNeeded(CheckAction.java:237)
at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:63)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.changePasswordIfNeeded(LoginModuleHelperImpl.java:171)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:179)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:234)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:160)
Thanks and best regards,
Jens
I also found this one in the logs above the one I posted before:
#1.5#00145E1B20DE00430000024000000DF8000409867BE29703#1136373115577#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence#Guest#116####ea333a007d1211dab7bd00145e1b20de#SAPEngine_Application_Thread[impl:3]_4##0#0#Error#1#/System/Security/Usermanagement#Java###DataSource : Can not change password#1#CORP_LDAP# #1.5#00145E1B20DE005E0000000F00000DF8000409867C34A10E#1136373120952#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=20149]#Guest#116####ed4d24307d1211dac68900145e1b20de#SAPEngine_Application_Thread[impl:3]_3##0#0#Error##Java###Can not change password [EXCEPTION] #1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
]; remaining name 'cn=test3'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1440)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)
at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.changePassword(LDAPPersistence.java:2708)
at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.updatePrincipalDatabag(LDAPPersistence.java:2957)
at com.sap.security.core.persistence.datasource.imp.LDAPDataSourceTransaction.commit(LDAPDataSourceTransaction.java:109)
at com.sap.security.core.persistence.imp.DistributedTransaction.commit(DistributedTransaction.java:1154)
at com.sap.security.core.imp.AbstractUserAccount.commit(AbstractUserAccount.java:1715)
at com.sap.security.core.server.userstore.UserInfoUME.engineSetPassword(UserInfoUME.java:428)
at com.sap.engine.services.security.userstore.context.UserInfo.setPassword(UserInfo.java:101)
at com.sap.engine.services.security.server.jaas.CheckAction.changePasswordIfNeeded(CheckAction.java:237)
at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:63)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.changePasswordIfNeeded(LoginModuleHelperImpl.java:171)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:179)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:234)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:160)
Thanks and best regards,
Jens
Hello Jens and Siva,
I have exactly the same problem on SP15 :
AD on win2003 SP1
UME link using SSL on EP6 2004 SP15
Account are created on AD with a change password required enabled and the "change password" form doesn't appear during portal login (login failed).
I follow most of your advices but it seems I still have a problem.
If inside portal, admin reset user password, user can see the "change password form": it works and password is also changed in active directory.
In my view, portal is not able to get the status "change password required" inside Active directory.
Have you got an idea ?
Thanks a lot for your advice.
Best regards,
Laurent
Hi,
I nearly the same problem... I want to remove the function of force new users to change there initial password.
Even if I change ume.logon.security_policy.password_change_required to FALSE and reboot J2EE it still prompt my new created users to change initial password at first logon.
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/b5/16c43bdd3da244a1d3372a77b5f83f/frameset.htm">Information at help.sap.com</a>
Can someone please help me??
Best regards
Mikael
Hi,
And you may also need to restart the Portal after the change.
Regards,
Harish
(Please award points for helpful answers)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I restarted the portal. As we need to change the
password I didn't apply the parameter you mentioned, as
I already have the LDAP over SSL set, which should allow
the portal to change passwords.
Are there any settings I forgot to enable password
changes in the ADS?
Thanks and best regards,
Jens
Hi,
It is fairly clear from the log file that on one hand ldap does not allow you to change the password and on the other hand whenever a new user is created,the Portal requires the password to change.
So either you enable password change in ldap end or,
The other thing that can be done is to disable the change password functionality in Portal.
In order to do that, please go to the following location in Portal,<i>System administration->System Configuration->User Management Configuration ->Direct Editing</i>
Here in the file you will see the property
<b><i>ume.logon.security_policy.password_change_required=TRUE</i></b>
You can change it to <i><b>FALSE</b></i>
This should solve your problem
Regards,
Harish
(Please award points for helpful answers)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
we need to change the passwords of the ADS-users via the portal.
I don't know why the password is changeable for the Administrator but not for the user itself.
If within the usermanagement tools the portal administrator changes the password everything works fine.
Only if the user tries that on the logon-page the above mentioned exception occurs.
Are there an things I have to change on the AD to solve this problem?
Best regards,
Jens
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.