cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory as userstore (writeable)

Go to solution
former_member292569
Participant

on ‎01-03-2006 7:48 AM

0 Kudos

Hello,

I configured an ADS (flat) as userstore. The ADS is connected via LDAP over SSL (Port 636).

The users in the ADS are visible in the portal useradministration.

The administrator can create, delete and change the users. Also the administratror is able to change the passwords.

But if a user tries to logon, he's prompted to change his own password.

When the user tries to change the password he get's an "authentication failed".

In the default trace the following error appears:

#1.5#00145E1B20DE004A0000001D0000174C0004096F7BFB4C53#1136274333010#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence#Guest#116####ea8598407c2c11dab89a00145e1b20de#SAPEngine_Application_Thread[impl:3]_28##0#0#Error#1#/System/Security/Usermanagement#Java###DataSource : Can not change password#1#CORP_LDAP# #1.5#00145E1B20DE004A0000001E0000174C0004096F7BFB80BE#1136274333026#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=doLogon][cl=19621]#Guest#116####ea8598407c2c11dab89a00145e1b20de#SAPEngine_Application_Thread[impl:3]_28##0#0#Error##Java###doLogon failed [EXCEPTION] #1#javax.security.auth.login.LoginException: PASSWORD_EXPIRED

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoginException(SAPJ2EEAuthenticator.java:344)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:108)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:305)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)

at java.security.AccessController.doPrivileged(Native Method)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:160)

Any suggestions?

Thanks and best regards,

Jens Wannenmacher

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-03-2006 9:20 AM
0 Kudos

Hi,

Please check up if the following property in umeproperties is set to TRUE(I have shown the way the umeproperties is set)

This property allows all users to change their own password.

ume.logon.security_policy.password_change_allowed=TRUE

If it is so, then can you also confirm if only ldap users have this problem.

If that is not so,then change the value to TRUE and restart the Portal.

Do let us know more details about the configuration.

Regards,

Harish

(Award points for helpful answers)

Show replies
Show replies
former_member292569
Participant
‎01-03-2006 9:28 AM
0 Kudos

Hi,

the property is set correctly. Users in the database

can change their password without any problem.

So only ADS users can't change it.

Best regards,

Jens

Former Member
‎01-04-2006 3:00 AM
0 Kudos

Hi Jens,

Which Portal Patch level are you in? Please check SAP Note 613577.

Regards,

Siva

P.S: Award points if you find this useful.

former_member292569
Participant
‎01-04-2006 7:00 AM
0 Kudos

Hi Siva,

the patch level is Netweaver 04 / SPS14 (J2EE, EP, CM).

Thanks and regards,

Jens

Former Member
‎01-04-2006 7:30 AM
0 Kudos

Hi Jens,

Please see what SAP Note 673824.

"Due to security reasons it is only possible to create user or user accounts or change a password on Microsoft Active Directory server if you are using a SSL connection between the Enterprise Portal or SAP J2EE Engine and the directory server.

Additionally the "High Encryption Pack" for Windows 2000 to enable a 128 bit SSL encryption must be installed on the Microsoft Active Directory Server."

Regards,

Siva

P.S: Award points if you find this useful.

former_member292569
Participant
‎01-04-2006 7:37 AM
0 Kudos

Hi Siva,

we are using LDAP over SSL with windows 2003.

The portal-admin can change passwords, but at the logon

page the LDAP-users can't.

Thanks and best regards,

Jens

Former Member
‎01-04-2006 8:02 AM
0 Kudos

Hi Jens,

Please check whether the value of ume.ldap.access.mds.control_attribute is set to userAccountControl. Also check whether ADS_UF_PASSWD_CANT_CHANGE in your ADS side is set.

Regards,

Siva

P.S: Award points if you find this useful.

Former Member
‎01-04-2006 8:07 AM
0 Kudos

Oops,

I forgot to ask you one more thing. Is the newly changed password conforms to the Password Policy in ADS?. Please check SAP Note 895720.

Regards,

Siva

P.S: Award points if you find this useful.

former_member292569
Participant
‎01-04-2006 8:10 AM
0 Kudos

Hi Siva,

ume.ldap.access.msads.control_attribute=userAccountControl is set in the UME. How can I check/set the ADS_UF_PASSWD_CANT_CHANGE?

passwords on the ADS are not restricted at the moment.

Thanks and best regards,

Jens

Former Member
‎01-04-2006 10:37 AM
0 Kudos

Hi Jens,

Did you check SAP Note 895720? Some files are attached to this. It's specifically for SP 14. Did you check deploying them? Did you check whether you are giving the new password as per Password Policy ( Length and complexity)?

Regards,

Siva

P.S: Award points if you find this useful.

former_member292569
Participant
‎01-04-2006 11:16 AM
0 Kudos

Hi Siva,

I applied the patch, now it tells "password expired" when trying to change. Logon is still not possible.

But on the ads-side there are no rules for password expiration.

the default trace shows the following:

#1.5#00145E1B20DE005E0000001100000DF8000409867C34A4C2#1136373120952#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence#Guest#116####ed4d24307d1211dac68900145e1b20de#SAPEngine_Application_Thread[impl:3]_3##0#0#Error#1#/System/Security/Usermanagement#Java###DataSource : Can not change password#1#CORP_LDAP# #1.5#00145E1B20DE004B0000000800000DF8000409867CF94983#1136373133842#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=20149]#Guest#116####f4f4d3e07d1211da860400145e1b20de#SAPEngine_Application_Thread[impl:3]_22##0#0#Error##Java###Can not change password [EXCEPTION] #1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:

0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

]; remaining name 'cn=test3'

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)

at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1440)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)

at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)

at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)

at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.changePassword(LDAPPersistence.java:2708)

at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.updatePrincipalDatabag(LDAPPersistence.java:2957)

at com.sap.security.core.persistence.datasource.imp.LDAPDataSourceTransaction.commit(LDAPDataSourceTransaction.java:109)

at com.sap.security.core.persistence.imp.DistributedTransaction.commit(DistributedTransaction.java:1154)

at com.sap.security.core.imp.AbstractUserAccount.commit(AbstractUserAccount.java:1715)

at com.sap.security.core.server.userstore.UserInfoUME.engineSetPassword(UserInfoUME.java:428)

at com.sap.engine.services.security.userstore.context.UserInfo.setPassword(UserInfo.java:101)

at com.sap.engine.services.security.server.jaas.CheckAction.changePasswordIfNeeded(CheckAction.java:237)

at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:63)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.changePasswordIfNeeded(LoginModuleHelperImpl.java:171)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:179)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:234)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)

at java.security.AccessController.doPrivileged(Native Method)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:160)

Thanks and best regards,

Jens

former_member292569
Participant
‎01-04-2006 11:31 AM
0 Kudos

I also found this one in the logs above the one I posted before:

#1.5#00145E1B20DE00430000024000000DF8000409867BE29703#1136373115577#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence#Guest#116####ea333a007d1211dab7bd00145e1b20de#SAPEngine_Application_Thread[impl:3]_4##0#0#Error#1#/System/Security/Usermanagement#Java###DataSource : Can not change password#1#CORP_LDAP# #1.5#00145E1B20DE005E0000000F00000DF8000409867C34A10E#1136373120952#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=20149]#Guest#116####ed4d24307d1211dac68900145e1b20de#SAPEngine_Application_Thread[impl:3]_3##0#0#Error##Java###Can not change password [EXCEPTION] #1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:

0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

]; remaining name 'cn=test3'

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3001)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)

at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1440)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)

at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)

at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:146)

at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.changePassword(LDAPPersistence.java:2708)

at com.sap.security.core.persistence.datasource.imp.LDAPPersistence.updatePrincipalDatabag(LDAPPersistence.java:2957)

at com.sap.security.core.persistence.datasource.imp.LDAPDataSourceTransaction.commit(LDAPDataSourceTransaction.java:109)

at com.sap.security.core.persistence.imp.DistributedTransaction.commit(DistributedTransaction.java:1154)

at com.sap.security.core.imp.AbstractUserAccount.commit(AbstractUserAccount.java:1715)

at com.sap.security.core.server.userstore.UserInfoUME.engineSetPassword(UserInfoUME.java:428)

at com.sap.engine.services.security.userstore.context.UserInfo.setPassword(UserInfo.java:101)

at com.sap.engine.services.security.server.jaas.CheckAction.changePasswordIfNeeded(CheckAction.java:237)

at com.sap.engine.services.security.server.jaas.CheckAction.run(CheckAction.java:63)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.services.security.server.jaas.LoginModuleHelperImpl.changePasswordIfNeeded(LoginModuleHelperImpl.java:171)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:179)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:234)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)

at java.security.AccessController.doPrivileged(Native Method)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(Native Method)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:95)

at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:160)

Thanks and best regards,

Jens

Former Member
‎01-04-2006 11:43 AM
0 Kudos

Hi Jens,

Refer this.

Though this is not related to Portal, the error is exactly the same. It's clearly said you are not following the Password Complexity. Is your new password meet all criteria defined in ADS? Please check it once again.

Regards,

Siva

P.S: Award points if you find this useful.

former_member292569
Participant
‎01-04-2006 12:26 PM
0 Kudos

Hi Siva,

I think that solved the problem...

Password have to meet complexivity was set to default (not to enabled).

Thanks and best regards!

Jens

Former Member
‎05-18-2006 3:32 PM
0 Kudos

Hello Jens and Siva,

I have exactly the same problem on SP15 :

AD on win2003 SP1

UME link using SSL on EP6 2004 SP15

Account are created on AD with a change password required enabled and the "change password" form doesn't appear during portal login (login failed).

I follow most of your advices but it seems I still have a problem.

If inside portal, admin reset user password, user can see the "change password form": it works and password is also changed in active directory.

In my view, portal is not able to get the status "change password required" inside Active directory.

Have you got an idea ?

Thanks a lot for your advice.

Best regards,

Laurent

Former Member
‎09-26-2006 10:49 AM
0 Kudos

Hi,

I nearly the same problem... I want to remove the function of force new users to change there initial password.

Even if I change ume.logon.security_policy.password_change_required to FALSE and reboot J2EE it still prompt my new created users to change initial password at first logon.

<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/b5/16c43bdd3da244a1d3372a77b5f83f/frameset.htm">Information at help.sap.com</a>

Can someone please help me??

Best regards

Mikael

Answers (2)

Answers (2)

Former Member
‎01-03-2006 8:37 AM
0 Kudos

Hi,

And you may also need to restart the Portal after the change.

Regards,

Harish

(Please award points for helpful answers)

Show replies
Show replies
former_member292569
Participant
‎01-03-2006 8:59 AM
0 Kudos

Hi,

I restarted the portal. As we need to change the

password I didn't apply the parameter you mentioned, as

I already have the LDAP over SSL set, which should allow

the portal to change passwords.

Are there any settings I forgot to enable password

changes in the ADS?

Thanks and best regards,

Jens

Former Member
‎01-03-2006 8:26 AM
0 Kudos

Hi,

It is fairly clear from the log file that on one hand ldap does not allow you to change the password and on the other hand whenever a new user is created,the Portal requires the password to change.

So either you enable password change in ldap end or,

The other thing that can be done is to disable the change password functionality in Portal.

In order to do that, please go to the following location in Portal,<i>System administration->System Configuration->User Management Configuration ->Direct Editing</i>

Here in the file you will see the property

<b><i>ume.logon.security_policy.password_change_required=TRUE</i></b>

You can change it to <i><b>FALSE</b></i>

This should solve your problem

Regards,

Harish

(Please award points for helpful answers)

Show replies
Show replies
former_member292569
Participant
‎01-03-2006 8:31 AM
0 Kudos

Hi,

we need to change the passwords of the ADS-users via the portal.

I don't know why the password is changeable for the Administrator but not for the user itself.

If within the usermanagement tools the portal administrator changes the password everything works fine.

Only if the user tries that on the logon-page the above mentioned exception occurs.

Are there an things I have to change on the AD to solve this problem?

Best regards,

Jens

Ask a Question