Change Password Provisioning to AD fails

Similar Messages

• ISE 1.1 'Change password on next logon' fails on iPhone / iPad

  Hello -
  We're in the process of implementing an ISE 1.1 server for Guest Wireless Access / BYOD at our company and ran into an issue with authenticating from iPhones / iPads when the account is set with 'change password on next logon' (it's a local account created on the ISE server - not AD). It fails and displays 'unable to join network' on the iPhone. The ISE log shows a '5411: No response received in 120 seconds'. We're able to authenticate from Windows devices and are prompted to change the password during the authentication process. Has anyone else encountered this? If we uncheck the 'change password' box we can authenticate from iPhones & iPads without any issue but we need to have a way for users to set their own password.
  Thanks!
  Bill

  Hi,
  I am encountering the exact same issue in our lab environment, but with AD accounts (We would like customers to be able and connect to the dot1x network with their AD credentials, and based on machine authentication they will or will not get restricted access).
  Just to be clear: the change password functionality works perfect on laptops, but on ipad/android we just cannot connect to the dot1x (PEAP) network when the "change password on next login" checkbox is on.
  Anyone else who can shed some light on this?
  Thanks
  Tom

• In Portal Anonymous mode - Change password option not coming- login fails

  Hi Experts,
       We are having some application which requires login in anonymous mode. When we click the application and give the user id password, it loggs in properly, there is no problem in that.
      But if the password is reset by administrator, then when entering the reset password given by admin it should ask to change the password. This is happening in normal scenario(/irj/portal), but when try the same in anonymous mode(irj/portal/anonymous) where the prompt is from the login required application, then it says login failed instead of giving the change password and confirm password screen.
  Appreciate your help in solving this issue. I hope many would have faced similar situation.
  Thanks
  Yusuf

  Hi Yusuf.
  Do you use a standard or custom login module for your application?
  More likely the used login module does not have a logic that handles such scenario as a change of user's password.
  In this case you need to implement a custom module with a required functionality.
  Best regards,
  Aliaksandr Zhukau

• I am getting a Changing Password Failed error when I try to join an active directory

  I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
  However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
  2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
  2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
  2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
  2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
  2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
  2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
  2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
  2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
  2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
  2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

  Reggierror,
  Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

• Server fail to start aft changing password of SID ADM and SAPSERVICE SID

  Please help, i change password of above 2 users on windows, then server fail to start.
  Even after I change back to original password, the system still didn't start.
  Please help as this is urgent.

  Hi,
  sap service is not start in windows due to password change.
  click on start -> run -> services.msc
  navigate to service SAPSID_<instance_nr>
  right click on that -> properties -> logon
  provide the correct user password here.
  proceed same for SAPOsCol service
  regards,
  kaushal

• TS1398 can't check mail. Says connection to server failed. Need to change password on phone to the yahoo.account.

  can't check my mail on the phone. Connection to server failed.Need to make sure correct password is there. I've changed passwords??????

  Hello catrongeorgia13,
  Thank you for the details of the issue you are experiencing with your email account on your iPhone.  I recommend the following article to troubleshoot this issue:
  iOS: Unable to send or receive email
  http://support.apple.com/kb/ts3899
  Thank you for using Apple Support Communities.
  Best,
  Sheila M.

• Reconciliation of "change password on next logon" from AD fails in OIM 11g

  Hello,
  We have a use case on our OIM 11g project where we create a user in Active Directory and check *"User must change password at next logon"* box in AD.
  We have setup AD as Trusted and Target resource (using connector 9.1.1.7), where users coming from AD will be created in OIM and password changes in OIM will be sent to AD. Also we use the password synchronization module (9.1.1.5) to synchronize the passwords from AD to OIM when they are changed in AD.
  What we noticed is the "User must change password at next logon" is synchronized to the "AD Resource", but unlike the regular attributes it is not accessible normally because it's a system attribute.
  What we expect is the user logging in to OIM will be prompted to change the password, but nothing happens when the newly reconciled user logs in (i.e. normal self-service page is shown). Same thing applies when we set the flag on an existing user also.
  Did anyone get this working properly?
  P.S. In a previous version it used to be the opposite where the user was constantly prompted for the password, even though it was changed in AD already, after changing the password using Alt+Crtl+Delete the user was still prompted to change when logging in to OIM. Oracle suggested we upgrade to 11.1.1.5.1 (most recent patch set) but now the reverse happens - we never get change password prompt now.
  Thanks,
  -JP
  Edited by: JacekP on Oct 17, 2011 8:10 AM

  Yeah, you're right, unfortunately we have dual authorative password model, where a user can change the password from OIM when he is accessing a OIM through a web interface or from his Windows machine through the domain controller. We need the use case to work fully both ways ideally.
  A plan-B solution is to use a directory synchronization mechanism outside of OIM that would connect OID and AD, but we would prefer not to.

• OIM 11.1.1.5: Post Process Event Handler, change password notification

  Hi,
  Products
  OIM 11.1.1.5 BP02
  OAM 11.1.1.5
  OID 11.1.1.5
  Problem
  I have written a post-process event handler which fires when a role is assigned to a user. The event handler calls a plugin which uses the UserManager API to generate and change the user's password.
  I've tested this by assigning a role to the user via the OIM web console. I can see my log messages indicating that the event handler has fired and that the password has been changed.
  However, I expected that when UserManager.changePassword completed, a notification email would then be sent to the user informing them of the new password, but no notification email has been sent.
  The email notifications have been set up correctly, because I have changed the same user's password via the OIM web console and successfully received a Reset Password email.
  So, my questions are:
  1) Am I right in thinking that when you call UserManager.changePassword(), an out-of-the-box ResetPassword email notification should be sent to the user?
  2) Has anyone got this working in 11.1.1.5?
  Some more detailed info
  In my plugin class I'm calling the following from both execute methods (EventResult and BulkEventResult):
  char newpasswd[] = new RandomPasswordGeneratorImpl().generatePassword(user);
  getUserManager().changePassword(userKey, newpasswd, false, null, true);
  logger.info(("Successfully changed password"));
  plugin.xml
       <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
       <plugin
       pluginclass="oracle.iam.PostInsertPlugin"
       version="1.0"
       name="PostInsertPlugin">
       </plugin>
       </plugins>
       </oimplugins>
  $OIM_HOME/server/bin/weblogic.properties
            wls_servername = oim_server1
            app = OIMMetadata
            metadata_from_loc=/home/oracle/eventhandlers
            metadata_file=/metadata/roleuser/custom/EventHandlers.xml
  /home/oracle/eventhandlers/import/metadata/roleuser/custom/EventHandlers.xml
  <?xml version='1.0' encoding='utf-8'?>
  <eventhandlers
  xmlns="http://www.oracle.com/schema/oim/platform/kernel"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
  <action-handler
  class="oracle.iam.PostInsertPlugin"
  entity-type="RoleUser"
  operation="CREATE"
  name="PostInsertPlugin"
  stage="postprocess"
  order="1002"
  sync="TRUE"/>
  </eventhandlers>
  There are no errors in the OIM out and diagnostic logs apart from the following which occur at OIM startup:
  [2013-01-07T16:29:23.425+00:00] [oim_server1] [ERROR] [IAM-0080075] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 2e903d7ef060ab65:66b2de91:13c15d6d9ce:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] XML schema validation failed for XML /metadata/iam-features-OIMMigration/EventHandlers.xml and it will not be loaded by kernel.
  [2013-01-07T16:29:24.267+00:00] [oim_server1] [ERROR] [IAM-0080075] [oracle.iam.platform.kernel.impl] [tid: [ACTIVE].ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 2e903d7ef060ab65:66b2de91:13c15d6d9ce:-8000-0000000000000002,0] [APP: oim#11.1.1.3.0] XML schema validation failed for XML /metadata/iam-features-callbacks/event_configuration/EventHandlers.xml and it will not be loaded by kernel.
  Thanks
  dty
  Edited by: oim_user on Jan 7, 2013 5:37 PM

  No notification will be sent if you changepassword using the method from usermanager api.
  You have to trigger the resetpassword event manullay in your code.
  Here is a sample code to create an event for reset password. Once you create event, invoke it from notification service - notify method.
  NotificationEvent event = new NotificationEvent();
  String[] receiverUserIds= {userLogin};
  event.setUserIds(receiverUserIds);
  event.setTemplateName("ResetPasswordNotification");
  event.setSender(null);
  HashMap<String, Object> resolvedData = new HashMap<String, Object>();
  resolvedData.put("userLoginId", userLogin);
  event.setParams(resolvedData);

• OIM 11gR1: Disabled Resource changes to Provisioned on modification

  Version: OIM 11gR1 BP7
  Target System: Active Directory using AD Connector 11.1.1.5.0
  In my environment, I have a user with a disabled Active Directory resource. Whenever I make changes to the user's AD resource, the status of that resource is changed to "Provisioned" even though the resource is still disabled on the target system. I know that when a resource is disabled, you cannot edit the form. I have made the modifications through the APIs or password reset button on the OIM interface (I have setup "Change Password" process task so that password is pushed out to the user's AD resources).
  I have also setup a custom icf connector and it has the same behavior as above.
  I would like to know if anyone has ran into this issue before or any insights in debugging this issue.

  Check if the task that is being triggered after user resource is disabled has mapping "C -- Provisioned". That could possibly be the reason!

• Problem about Changing Password?

  1 After logining in mobile server,I tried to change the password,but it sometimes failed.
  2 After changing the password in webtogo client,I found the password in mobile server had been also changed.
  What relationship about the password between online and offline?
  Will you please give me some advice?
  Thanks a lot!

  No, we didn't change the network name or the SSID.
  I am trying to get my head around how the preference files work. I understand that changing the password would change the preference file, but after further changing, I noticed that if I changed the password back to the original password, it would no longer connect. Then, I changed it back to the password from which I had changed the original password, and it did not connect. Then, after changing it to a brand new password, it connected.

• Jython having issue importing weblogic modules for changing passwords

  I am trying to import some WLST modules into a Jython script as outline in the documentation at http://e-docs.bea.com/wls/docs92/config_scripting/config_WLS.html#wp1019971
  The strange thing is that it says it is a WLST script, but it appears to be a Jython script. I tried performing this import using WLST interactive mode, but this did not work.
  I am passing the passwords as encrypted strings while using the encrypt() function
  Here is the script:
  import sys
  from weblogic.management.security.authentication import UserPasswordEditorMBean
  #To be invoked by java -cp /usr/local/bea/wlserver_10.0/common/lib/jython.jar org.python.util.jython
  #usage: wlst.sh ResetWLPassword.py <current_pass> <user> <new_pass> <adminServerURL>
  #{3DES}/asdfadsf== -
  #{3DES}asdfafdsadsf== -
  myPass = sys.argv[1]
  myUser = sys.argv[2]
  newPass = sys.argv[3]
  adminServerURL = sys.argv[4]
  #Connect
  try:
  connect('weblogic',myPass,adminServerURL)
  except:
  print "Could not connect using supplied credentials"
  dumpStack()
  try:
  print "Changing password ..."
  atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
  atnr.changeUserPassword(myUser,myuser,newPass)
  print "Changed password successfully"
  except:
  print "Password change failed"
  dumpStack()
  I am receiving the following error message:
  java -cp /usr/local/bea/wlserver_10.0/common/lib/jython.jar org.python.util.jython /tmp/ResetWLPassword.py "{3DES}/adsfadsfadsf==" weblogic "{3DES}asdfadsfasd== " t3://localhost:7003
  sys-package-mgr: can't create package cache dir, '/usr/local/bea/wlserver_10.0/common/lib/cachedir/packages'
  Traceback (innermost last):
  File "/tmp/ResetWLPassword.py", line 2, in ?
  ImportError: No module named management

  blumo wrote:
  You are calling org.python.util.jython again instead of weblogic.WLST like I advised in my first post. Invoke WLST (not jython) and pass your values in cleartext. Like I said in my previous post, I was able to execute your script without issue when calling WLST and passing cleartext values (I did have to modify one line to due a bug in your script -- see my prior posts).This seems to work in terms of getting the code to run, but there is still a problem with passing the arguments to the changeUserPassword() method.
  I entered the sequence of commands in the script manually into WLST and it works without issue. It even works without the import, which is strange that Oracle includes it in their documentation.
  I am going to post the code here, perhaps there is something wrong syntax-wise with the way I am authenticating, but I can't put my finger on it.
  import sys
  from weblogic.management.security.authentication import UserPasswordEditorMBean
  myPass = sys.argv[1]
  myUser = sys.argv[2]
  newPass = sys.argv[3]
  adminServerURL = sys.argv[4]
  #Connect
  try:
  connect(myUser,myPass,adminServerURL)
  except:
  print "Could not connect using supplied credentials"
  dumpStack()
  try:
  print "Changing password ..."
  atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
  #atnr.changeUserPassword('weblogic','weblogic','12345678')
  atnr.changeUserPassword(myUser,myPass,newPass)
  print "Changed password successfully"
  except:
  print "Password change failed"
  dumpStack()
  throws:
  Connecting to t3://localhost:7003 with userid weblogic ...
  This Exception occurred at Mon Feb 23 11:50:18 PST 2009.
  javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User: weblogic, failed to be authenticated.]
       at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:42)
       at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:773)
       at weblogic.jndi.WLInitialContextFactoryDelegate.pushSubject(WLInitialContextFactoryDelegate.java:670)
       at weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:466)
       at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:373)
       at weblogic.jndi.Environment.getContext(Environment.java:307)
       at weblogic.jndi.Environment.getContext(Environment.java:277)
       at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.<init>(InitialContext.java:197)
       at weblogic.management.scripting.WLSTHelper.populateInitialContext(WLSTHelper.java:498)
       at weblogic.management.scripting.WLSTHelper.initDeprecatedConnection(WLSTHelper.java:551)
       at weblogic.management.scripting.WLSTHelper.initConnections(WLSTHelper.java:303)
       at weblogic.management.scripting.WLSTHelper.connect(WLSTHelper.java:201)
       at weblogic.management.scripting.WLScriptContext.connect(WLScriptContext.java:60)
       at weblogic.management.scripting.utils.WLSTUtil.initializeOnlineWLST(WLSTUtil.java:121)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:160)
       at org.python.core.PyMethod.__call__(PyMethod.java:96)
       at org.python.core.PyObject.__call__(PyObject.java:248)
       at org.python.core.PyObject.invoke(PyObject.java:2016)
       at org.python.pycode._pyx6.connect$1(<iostream>:16)
       at org.python.pycode._pyx6.call_function(<iostream>)
       at org.python.core.PyTableCode.call(PyTableCode.java:208)
       at org.python.core.PyTableCode.call(PyTableCode.java:404)
       at org.python.core.PyTableCode.call(PyTableCode.java:287)
       at org.python.core.PyFunction.__call__(PyFunction.java:179)
       at org.python.pycode._pyx18.f$0(/tmp/ResetWLPassword.py:20)
       at org.python.pycode._pyx18.call_function(/tmp/ResetWLPassword.py)
       at org.python.core.PyTableCode.call(PyTableCode.java:208)
       at org.python.core.PyCode.call(PyCode.java:14)
       at org.python.core.Py.runCode(Py.java:1135)
       at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:167)
       at weblogic.management.scripting.WLST.main(WLST.java:106)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.WLST.main(WLST.java:29)
  Caused by: java.lang.SecurityException: User: weblogic, failed to be authenticated.
       at weblogic.common.internal.RMIBootServiceImpl.authenticate(RMIBootServiceImpl.java:116)
       at weblogic.common.internal.RMIBootServiceImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:479)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:475)
       at weblogic.rmi.internal.BasicServerRef.access$300(BasicServerRef.java:59)
       at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:1016)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
  Could not connect using supplied credentials
  Changing password ...
  Password change failed

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• Info About self service password provisioning

  Hi Guys ,
  Does any one got a chance to work on self service password provisioning in OIM 11gr2.??
  If yes ,Please share relevant docs related to same.

  Password expiry period = 90 days with warning of password expiration given to the user at least five (5) days but no more than ten (10) prior to expiry and at every logon during that time
  All Password Resets must be verified through a ‘closed loop’.  That is there must be verification to a service (e.g. eMail address or Phone Number) known only to the system and the user requesting the reset.  Changes should be notified to the User’s Administrator.
  Email should be sent to user on unsuccessful and successful password change .
  Your help would be highly appreciated .

• Disable prompt to change password for local non-admin account

  Hi there, I have a special-case laptop image running Windows 7 Enterprise. This one will not be on the domain--configured as a standalone workgroup only. I have three local accounts on it:
  1) Tech account with admin privs and password protected
  2) Teacher account with admin privs and password protected
  3) Kindergarten student account with regular user privs and no password at all
  For some reason, after Sysprep, when the student and teacher clicks their icon to logon, Windows always prompts them to change the password. I want to disable that. I have the following in my unattend.xml file which should take care of this, based on what
  I've read here. Still getting prompted to change password though. Any ideas what's missing?
  Thanks,
  Sir_Timbit
  <component name="Microsoft-Windows-Shell-Setup" .....
              <FirstLogonCommands>
                  <SynchronousCommand wcm:action="add">
                      <CommandLine>wmic useraccount where &quot;name=&apos;Student&apos;&quot; set PasswordExpires=FALSE&lt;/CommandLine&gt;</CommandLine>
                      <Description>Student password never expires...</Description>
                      <Order>2</Order>
                  </SynchronousCommand>
                  <SynchronousCommand wcm:action="add">
                      <CommandLine>net accounts /maxpwage:unlimited</CommandLine>
                      <Description>Disable expired local user account passwords</Description>
                      <Order>3</Order>
                      <RequiresUserInput>true</RequiresUserInput>
                  </SynchronousCommand>
                  <SynchronousCommand wcm:action="add">
                      <CommandLine>wmic useraccount where &quot;name=&apos;Staff&apos;&quot; set PasswordExpires=FALSE&lt;/CommandLine&gt;</CommandLine>
                      <Description>Staff password never expires</Description>
                      <Order>1</Order>
                  </SynchronousCommand>
              </FirstLogonCommands>

  For some reason my paste garbled up the unattend.xml file. It should read:
              <FirstLogonCommands>
                  <SynchronousCommand wcm:action="add">
                      <CommandLine>wmic path Win32_UserAccount WHERE name="Student" set PasswordExpires=FALSE</CommandLine>
                      <Description>Student password never expires...</Description>
                      <Order>2</Order>
                  </SynchronousCommand>
                  <SynchronousCommand wcm:action="add">
                      <CommandLine>net accounts /maxpwage:unlimited</CommandLine>
                      <Description>Disable expired local user account passwords</Description>
                      <Order>3</Order>
                      <RequiresUserInput>true</RequiresUserInput>
                  </SynchronousCommand>
                  <SynchronousCommand wcm:action="add">
                      <CommandLine>wmic path Win32_UserAccount WHERE name="Staff" set PasswordExpires=FALSE</CommandLine>
                      <Description>Staff password never expires</Description>
                      <Order>1</Order>
                  </SynchronousCommand>
              </FirstLogonCommands>
  Now, I let Sysprep complete and logged on as Staff. I went to the command prompt and ran the wmic command above to configure the student account to never expire. It failed when I ran it from a regular command prompt, but worked (and prevents the student
  password from expiring--what I want!) when I ran the command prompt as administrator, and paste the above. I was under the impression sysprep would be processing the unattend file with administrative privs. So I'm a bit closer here, but still unsure how to
  get it to run the above wmic command as administrator.

• CMC Admin Change Password failure

  Hi,
  Login into CMC for Administrator BOXI3.1 is no longer possible. The Administrator was given 'User must change password at next logon'.
  The logon for an Administrator in a new session is ok. But password change in the subsequent screen fails with msg "You do not have permission to perform the requested action. Please contact the system administrator for details. Please re-enter your password."
  There is only one Administrator in BOXI3.1. Please suggest a solution if any. Is there any reset password script on the command prompt?
  Regards,
  Neonevin.

  Look at the post below  for a workaround on how to reset the admin password to a blank password (Use at own risk)
  CMC asterisks in password field
  Regards,
  Stratos