Skip to Content

Identity Management LogonHelp / Could not reset password....

Jan 05 at 05:41 PM


avatar image


First, thanks for the help you can give me.

I have implemented IDM 8.0 and configured the integration with my active directory. I can read and create users in my Identity Store (which are automatically replicated to my AD and vice versa). Everything works correctly.

I have also configured all the requirements of Password Self-Service and it works perfect, I can access it by "https://myhost:50001/idm", "https://myhost:50001/idm/pwdreset", "https://myhost:50001/idm/admin. " Through these URLs I can configure and update my 5 questions and answers normally. I can also access and reset my password or that of any of my users without problems. I was able to check later, that I can access windows or IDM services with the new password without problems.

So far, I followed the documentation of IDM and LogonHelp for implementation to the letter, and in theory, my scenario is ready for Logon Help to work as a password reset tool in Windows, in the login interface. The above means that I have also imported the LogonHelp ADM into my AD and have made the indicated configuration in my GPO. This is deployed correctly to the 3 Windows clients in which I have tested with Operating Systems "Windows 7", "Windows 8.1" and "Windows 10".

However with all the configuration that I mentioned and that through the URLs it works, in the LogonHelp client it does not work correctly, asking for the ID, the answers to the security questions and a new password, later generating the following error: "Could not reset password; check if security answers are correct and if password meets the security policy ".

According to the error that is generated, I performed the test by setting up exactly the same word in response to my 5 questions and the error persists. Then, in the Security Policy of Identity Management, I removed all password complexity, accepting what the user wants to enter as password, in the same way I did the same in my AD, configuring the password policy at minimum complexity. The test in the URLs of IDM resetting the password with a minimum complexity works, but in LogonHelp, in the 3 machines it keeps showing me the same error.

I understand that the LogonHelp client manages to connect to IDM because when I enter the ID of a user that does not exist in the UME or in the LDAP (AD), the error that is shown is: "Could not connect to IDM server", but if I enter a user that does exist, the error is: "Could not reset password; check if security answers are correct and if password meets the security policy".

Checking the LogonHelp log on my client PCs, I find the following error:

The retrieving of the sequrity questions for user 'america' returned empty response or the execution of one of the methods - CWinHttpHelper :: SendRequest or CLowCommon :: ConvertAsciiToUnicode returned error.

I have followed the recommendations indicated in the following URLs:

But the error persists.

I left in a Google Drive document, all the step by step described:

In the document you can also see the log of the LogonHelp client, a capture of the Dispactcher working correctly and the synchronization also running normally without errors.

Again, thank you very much for the help you can give me.


Paul Andres Pedroza Martinez

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Edison Borrero Jan 05 at 11:02 PM

Temporarily disabling the new protection mechanism (until all REST clients have been updated)

If you cannot update all relevant REST clients immediately, temporarily disable the new protection mechanism and thus switch back to the previous mechanism. If you decide to do this, make sure that you apply all possible measures to protect the REST interface against this kind of attack. Especially refer to "Limiting access to the REST interface to certain hosts" below.
To switch back from the new to the previous protection mechanism, do the following:

    1. In SAP NetWeaver Administrator, choose Configuration > Infrastructure > Java System Properties.
    2. On the Applications tab, filter for the tc~idm~jmx~rest~app web application.
    3. On the Properties tab, filter for the property.
    4. Select the property, and choose Modify.
    5. In the Modify Property Value dialog, set the value to true.
    6. Restart the AS Java.

10 |10000 characters needed characters left characters exceeded