Expired or initial passwords with SPNego

Hi,
we're implementing a SAP Enterprise Portal right now using SPNego as the method of authentification. The UME of our Portal is connected to our HCM-ABAP-System. In HCM we set the parameter login/password_change_for_SSO to 0 so the status of a PW (e.g. initial or expired) is not relevant when using SSO. This works fine for our HCM, but of course not for the Portal which is only connected to HCM via the UME.
Anybody got an idea how to have our portal react the same way to initial and expired passwords? I couldn't find anything so far...

Hi Mario,
Though I can't provide you the solution, I have a query...
If my guess that you have implemented SPNego authentication, you are trying to implement Kerbero's Authentication.
Please let me know if you are able to configure Portal for Kerbero's authentication. We tried to implement the same with CRM+Portal, we were able to configure SAP GUI for Kerbero's authentication, but with portal, we were not able to implement.
When we changed the UME configuration file, portal went down. We raised an OSS note, and got reply stating that "Kerberos authentication can not be implemented for ABAP+Java stack. For portal to support Kerbero's authentication, it should be a separate installation.
If you are able to configure portal for SPNego, and able to run the SPNego wizard successfully, please let me know.
Regards,
Nrisimhanadh

Similar Messages

  • TMSADM: Initial password expired

    Dear community,
    I've a urgent question, because the SAP support hasn't answered yet and I have got to fix the problem.
    Because of security reasons we changed the following instance Parameters:
    login/password_max_new_valid = 1 (The initial password of new users is only valid on the day of creation)
    login/password_max_reset_valid = 1 (The initial password of an reseted user account is only valid on the day of change)
    Now we have an problem with our Transport Management System (STMS) and the used communication user TMSADM. One day after the change of the parmters we always got an login prompt when we wanted to see the import queue of the systems in transaction STMS. When I start a authority-check in transaction SM59 for the RFC [email protected]_SID Iget the error "The initial password has expired; request a new one".
    Now comes my question. Does anyone know how to fix the problem? I havn't found any solution in the SAP Service Marketplace and the SAP Support only wrote me that I should check the note 761637 and 713622, which don't fit exactly to my problem.
    I'm searching now for an possibility to set an password for an communication or CPIC user. When I set an password in SU01 I can only set an initial password. So does anyone knows how to do? E.g.: when I have an dialog user i can change the password at startup, but how can I change it at an communication user?
    Another posibilty is to run the check of the initialpassword not for the user TMSADM. Is this possible and if yes who can me tell how?
    Please help me, I'm in urgent trouble, because me colleagues are angry about this result of changement.
    Many thanks in advance.
    Michael

    I don't think that it is an good idea to change the password on the database. The values are only saved as hash-values and so it is not possible.
    Further I found a solution on my own to fix the problem. I changed the user type from communiction to dialog and so I set the password in the dialog screen at login.
    After that I changed the user type to communication aggain.
    It works. I've just tested it and the next days I will take the change for our productive system.
    Bye

  • SAP initial password expired... how to renew it?

    SAP initial password expired... how to renew it?

    hi there
    check with your basis team to renew the password,, or get the help from your team lead( he may have authorization for the SU01) there you can change the Initial password
    Thanks
    Senthil

  • Jco Function issue : The initial password has expired (request a new one)

    Hi Friends,
         Could you please help me to resolve this issue. I am able to start my session using  SAP Jco Start Action block. But while invoking the BAPI using
    SAP JCo Function action block I am getting the below error. I am 100% sure that my credentials are correct. I am able to logon to ECC using SAP Front GUI.
    I am using MII 14.0 patch SP4
    Any help on this very much appreciated.
    <Rowsets DateCreated="2014-07-22T12:33:49" EndDate="2014-07-22T12:33:49" StartDate="2014-07-22T12:33:49" Version="14.0 SP4 Patch 0 (Nov 22, 2013)">
        <FatalError>JCOProxy error: Problem retrieving JCO.Function object: The initial password has expired (request a new one)</FatalError>
    </Rowsets>]]
    Thanks in advance
    Shaji

    Hi Friends,
    This issue got resolved when I cleared the BAPI list cache at MII using below URL.
    http://hostname:port/XMII/JCOProxy?Mode=Reset

  • Initial password change requested with SSO

    Hi all,
    we have well working SSO with EP6 SP2 and standalone ITS. SSO is based on SAP logon ticket. Only one annoying thing appears.
    If a new user is created in SAP R/3, ITS asks for changing of password.
    Does it mean that the user must initially (and later again according to password policy) change the password although we do not use direct access to R/3? If no password change should be required with SSO, how to solve this issue?
    EP6 SP2 P4 HF8
    ITS 6.2 PL14
    R/3 4.7
    Thanks in advance for any good idea.
    Pavol

    Hello,
    We are on a very similar setup as above:
    EP 6.0 SP12 with ITS.
    What we are seeing is that the initial password dialog comes up but there is only the input fields but no "Submit" or "Change" buttons. In summary, new users are not able to change their password through the Portal.
    Any ideas why this might be happening?
    Thanks,
    Siva.

  • Send Welcome Email After account exists in AD with initial password

    We have FIM setup to create new users based on a workflow In the workflow I add them to the outbound sync rule, then send a welcome email, in this workflow there are several steps, one is randomly generating an initial password, what I'm trying to figure
    out is how to send the welcome email after the delta sync runs that verifies the user was created in AD.
    I thought about using the Poor Man's version of a connector detection mechanism however how to get the inital password from the workflow above into the workflow that would run after the connector detection mechanism detected the object coming in from AD?
    Thanks;
    Jon

    The other option could be to set a random password on the AD account when it is created but then have another workflow that runs in the Portal when the objectSid is set for the first time. This workflow could reset the user's password in AD to another random
    value and send the email notification with that newly generated password - this way the password is known and but it isn't stored anywhere.
    Andrew.
    Andrew & Borys thank you both for the replies.
    Andrew I like that option more I'm guessing a a set transition MPR from null/blank (not sure what the initial value is in the portal) to not null / not blank.
    One issue is I don't think ObjectSID is available to use as a filter in the portal.
    I'll check this using a custom attribute.

  • HT204409 How do I change or reset my password for my wifi? I have forgotten my initial password when I setup the wifi and now cant use it with my iPod but it still works with my iPad as the password option doesn't come up like the iPod.

    How do I change or reset my password for my wifi? I have forgotten my initial password when I setup the wifi and now cant use it with my iPod but it still works with my iPad as the password option doesn't come up like the iPod.

    If you are saying that the iPod asks for the password for the network and you do not know it, what may work is to turn on iCloud keychain for the iPod and iPad., Thet may sync the password from the iPad to the iPod
    http://9to5mac.com/2013/10/26/how-to-setup-and-use-icloud-keychain-for-mavericks -and-ios-7/
    Otherwise you will have to go into the router settings and reset the wifi password in the router

  • SAP  Portal  unable to recognize  AD requirement to change initial password

    Hi,
    We configured Active Directory server (2008 R2) as UME for SAP Portal (Netweaver 7.01  SP7).  We matched as many of the security parameters as possible* (ex.  minimum password length, require one number in password, etc.).  The AD parameter "User must change password at Next logon" is set ON.  However, upon attempt to login to SAP Portal with the initial password that was set in AD we are not prompted to change the password.  Rather, the SAP Portal logon attempt fails with message:  "Authentication Denied"
    Has anyone dealt with this problem before?
    Other information: 
    *Our MarketPlace researched indicated that the SAP Portal parameter "ume.ldap.security_policy.password_change_required" (which would correspond to the AD parameter mentioned above) is no longer an available parameter for our SAP Portal version (Netweaver 7.01  SP7).
    In our version of SAP Portal, the AD parameter "User must change password at Next logon" has one parameter which is similar, but does not directly correspond.  The SAP Portal parameter which we do have is "No password change required".  Notice this is the logical opposite of the AD parameter:  AD says to require the password, whereas SAP Portal says it's NOT required.  Therefore, when the AD parameter is set to ON, this results in the Portal parameter being set to OFF.  Even still, we face the login failure.

    You have to note here that implementing SAP IDM is only ONE of the possible options you have. The implementation of IDM in itself is a huge undertaking because of the number of systems and the decision making process involved with it.
    In one of my previous implementations, when SAP IDM was not around, we had Tivoli Access Management tools which took care of the password problems.
    even though we implement IDM and deploy IDM UI on Portal , still user should change password before it expires on AD right ?
    Even with IDM in place, user will not be able to login to SAP portal with an expired AD password. However, in our case, we provide a link on the logon page of SAP portal to the IDM password self service application which will allow the user to change the password.
    Does IDM has any feature like sending notifications before password expiration period ?
    I don't think it does - however I have not explored this option in IDM since most of our users do not have email addresses and we cannot send a reminder. You should be able to create a task (with some customization) in IDM to achieve this.
    Also will the IDM implementation help us in creating users with option "User should change password at next logon" on AD ?
    Yes - IDM does create users with option "User should change password at next logon" in AD.
    With IDM in place and tied to AD, it should be the central place of creating users. It is recommended NOT to create or manipulate the users in any target systems (SAP, AD, etc). IDM should be taking care of all the user provisioning activities.
    is this like a work around to allow users to change password from Portal before it gets expired on Active Directory(AD) ?
    This is not a work around - it is rather a full blown identity management solution for all your company needs.
    You will get a lot of your IDM specific questions answered in the Identity Management forum.
    Thanks,
    Shanti

  • [Initial Password] CUA vs IdM

    Hi,
    Please correct me if I am wrong: when the CUA cha,ges to password in the child systems, they are set as initial. It means that, on the first logon, the user has to change it.
    Is there a possibility for IdM to set "definitive" password. It seems so to me after reading
    |                     |        CUA        |  Identity Management       |
    | Password management | Initial passwords | yes incl. workflow support |
    in https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab, page 29
    Thanks in advance.
    Best regards,
    Guillaume

    IdM can only do what SAP permits.  Depending on how one is authenticating determines the password policy.  An initial password, an expired password and a password reset by an administrator all set the same flag.  The user must change their password on next logon.  The only way around this to write directly to the db with SAP's hash.  A terrible idea and a big security risk. 
    UME uses a delegated model so the password policy depends on what you are authenticating against.  This question is normally asked because a company wants to do password synchronization; one is better off doing SSO.

  • Problems in Changing LDAP (AD) Initial Password from Portal

    Hello ,
    We are using EP 7.01 SP 05 with Microsoft AD as our user data store (flat structure).
    For newly created users on AD, we are wanting them to be able to change their initial passwords from portal (on their first logon).
    SSL is set up between EP and AD.
    The user we are using to access LDAP has write privileges.
    We are using a standard configuration file (writeable version) (dataSourceConfiguration_ads_writeable_db.xml)
    We are able to modify users from User Administration console (including password change) without any problem.
    However, there are two problems we are facing:
    1. If the flag "User must change password at first logon" is set on AD/LDAP, then on Portal the user is not getting prompted for changing password - and User authentication failed
    2. If the flag "User must change password at first logon" is NOT set on AD/LDAP, then - User is getting prompted to change the password" - however password change is not going through successfully - Error says - "Missing".
    From logs I can see the following error:
    #1.5#0050568767DE006B0000000700005D7C00048EC433D5B0FC#1282873241046#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=64495]#Guest#0#SAP J2EE Engine JTA Transaction : [044ffffffd35700451]#n/a##19ae55e0b17c11dfb0d00050568767de#SAPEngine_Application_Thread[impl:3]_23##0#0#Error##Java###Can not change password
    [EXCEPTION]
    {0}#1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:
    0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
    ]; remaining name 'cn=portal test'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2943)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2749)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1449)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
    Can any one pls suggest what is this error about and what I am missing.
    Thanks ,
    Shanti

    Hello All,
    Thank you for your time and valuable replies.
    I got rid of the "Missing" error and now I am one step away from the solution.
    Now I am at a stage where: (for a user with initial password on LDAP)
    1. In AD if "User needs to change password on next logon" flag is NOT set - user can successfully logon to portal. (without being prompted for password change)
    2. In AD if "User needs to change password on next logon" flag is set - then user cannot logon to portal - I get User authentication failed error.
    I have went through a lot of discussions around this topic on SDN and different SAP Notes. I have tried to maintain UME Security policy as close as possible to LDAP (I cannot make it exactly same due to some differences in LDAP and UME).
    However, when and administrator can change passwords from UME successfully without any problem - it means that:
    - Security policy is being met
    - Service user used to communicate to LDAP has all the required access
    The only missing piece of the puzzle is how to enable the users to be able to change their passwords (with initial or expired passwords).
    According to Note 865399 - the default value for The property ume.ldap.access.set_pwd is TRUE.
    Also the property ume.ldap.access.pwd.via.usercontext can only be TRUE when ume.ldap.access.set_pwd is set to FALSE.
    So, I have tried setting the following without any success:
    <ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
    <ume.ldap.access.set_pwd>false</ume.ldap.access.set_pwd>
    Thanks,
    Shanti

  • Firefox keeps prompting me for password with the popup

    Firefox at my work computer keeps prompting for password with the popup message "The proxy moz-proxy://proxy:9119 is requesting a username and password. The site says: "moz-proxy://proxy:9119"" This happens too often,even If i provide the username and password I get the next popup with same message.
    Its very annoying, I am not finding web better because of this, I goggled and figured about the config settings of - network.automatic-ntlm-auth.allow-proxies and the other one not working.
    I guess I am missing the PAC URL or something which I remember like solved the problem sometime back but not in same domain though.
    Can someone help ?
    Can the good community help ?

    Quitting Calendar Agent is not working for me. I still get the following errors.
    About 50 of these: 8/13/12 10:19:28.210 AM CalendarAgent[12480]: Unexpected EOF, returning last token as fallback
    Then about 10 of these:
    8/13/12 10:19:31.193 AM CalendarAgent[12480]: [com.apple.calendar.store.log.caldav.queue] [Account refresh failed with error: Error Domain=CoreDAVHTTPStatusErrorDomain Code=401 "The operation couldn’t be completed. (CoreDAVHTTPStatusErrorDomain error 401.)" UserInfo=0x7fb603b9d990 {AccountName=, CalDAVErrFromRefresh=YES, CoreDAVHTTPHeaders=<CFBasicHash 0x7fb603f5a4b0 [0x7fff79a05190]>{type = immutable dict, count = 10,
    entries =>
        0 : Case Insensitive Key: X-Content-Type-Options = <CFString 0x7fb6038d0650 [0x7fff79a05190]>{contents = "nosniff"}
        1 : Case Insensitive Key: Content-Type = <CFString 0x7fb603bd3930 [0x7fff79a05190]>{contents = "text/html; charset=UTF-8"}
        2 : Case Insensitive Key: Server = <CFString 0x7fb603b1c400 [0x7fff79a05190]>{contents = "GSE"}
        3 : Case Insensitive Key: Transfer-Encoding = <CFString 0x7fff792226b8 [0x7fff79a05190]>{contents = "Identity"}
        6 : Case Insensitive Key: Date = <CFString 0x7fb603bf6300 [0x7fff79a05190]>{contents = "Mon, 13 Aug 2012 14:19:31 GMT"}
        7 : Case Insensitive Key: X-Frame-Options = <CFString 0x7fb603869680 [0x7fff79a05190]>{contents = "SAMEORIGIN"}
        8 : Case Insensitive Key: X-XSS-Protection = <CFString 0x7fb603b01740 [0x7fff79a05190]>{contents = "1; mode=block"}
        9 : Case Insensitive Key: Www-Authenticate = <CFString 0x7fb603bcf200 [0x7fff79a05190]>{contents = "BASIC realm="Google CalDAV""}
        11 : Case Insensitive Key: Cache-Control = <CFString 0x7fb603b08d50 [0x7fff79a05190]>{contents = "private, max-age=0"}
        12 : Case Insensitive Key: Expires = <CFString 0x7fb603bf8a20 [0x7fff79a05190]>{contents = "Mon, 13 Aug 2012 14:19:31 GMT"}

  • How to programmatically set initial password when a user is created in OID

    We are using the odihragent synchronization process to automatically create users in OID when an employee record is created. We would like to set the initial password for the newly created user to their last name + the last 4 digits of their SSN.
    The odihragent process is successfully creating the user in OID and populates the last name and the last 4 digits of the SSN in OID. According to an open SR I have with Oracle, we cannot use the odihragent process to set the initial password because any time the employee record is updated, the synchronization process will reset the password to last name + SSN. They have recommended that we use a pl/sql plug-in to set the password using the WHEN_ADD plug-in procedure.
    I am new to using OID and plug-ins and the examples provided in the Developer's Guide are limited.
    I would like to know if anyone else is using plug-ins or another process to set initial passwords when a user is created? If you are using plug-ins would you be willing to share a code sample?

    I am surprised that I have not received any responses... Surely there are others who are experienced with programmatically setting passwords when new users are programmatically created. Does anyone have any pointers on how to best accomplish this?

  • Initial password when LDAP user created i SAP?

    Hi,
    I'm about to configure LDAP integration with SAP, where users that exist only on the LDAP server are created in SAP.
    Are any initial passwords automatically set for these users in SAP, or will an administrator have to go in and set an initial password for all created users?
    Thanks, Oscar

    Hi,
    I assume you will use the LDAP synchronization in an ABAP system. Here you have to maintain the fields to be synchronized. The password field is typically not synchronized but you can fill in the logondata hashvalue. I never tried to get the hashvalue out of LDAP because LDAP and SAP may use different hash algorithms. The better way is to set a fixed value in the mapping. You can use SAP functions to maintain the hashvalue.
    Transaction for maintaining the mapping: LDAPMAP.
    Regards
    Rainer

  • CUA environment - changing the initial password of a user.

    Hi Gurus,
    I've encounter a perculiar issue when I assign an initial password to a user.
    My system setup is based on CUA where my Central admin is client 100, with child client 200.
    - I create an ID in client 100, set it to system 200, set initial password as "passW0rd". Save
    - The ID was created in 200
    - Logged in Client 100 using ID and "passW0rd", prompted for new password (i canceled the login)
    - When back to client 100 CUA, in SU01 I select ID and click "EDIT", under the logon data I retype the initial password to "P4ssword"
    - checked SCUL, it's green and user change
    - Logged in Client 100 using ID and "P4ssword", error in password
    - tried the old "passW0rd", prompted for new password.
    I puzzled why the CUA did not redistribute the changed initial password to client 200, another can any ideas?
    I also tried SU01 and click "reset password" button instead of "edit", the changed password was able to distributed to client 200.
    By password change is ok this way or not ok if change within edit mode?
    Thanks,
    Jansen

    Hi Sergo, 
    Yes I realise the "change password" works but for my case I cannot use that function. Any other suggestions. Cos by right even if I were to change in the logon data it should work right?
    Hi Juan,
    Yes I've checked, the IDOCs are in and successful.

  • SAP ABAP/BOBJ Infoview initial password change

    Hi all,
    We are using BOBJ Crystal Repors and BI for reporting. All authentication and data security is working great including user/role sync from ABAP stack.
    My problem is as follows - Say I reset the initial password in the ABAP side for a user id. I log into BOBJ Infoview and the new inital password syncs as expected. However.....the infoview does not promt for the user to change the initial password as the ABAP side or portal would. Now the user maintains the initial password the admin set. Again, our portal or ABAP system forces the user to change the initial password but I can't seem to have the infoview do the same.
    Any guidance would be greatly appreciated.
    Thanks!
    SAP BI - Netweaver 2004 S
    BOBJ Enterprise XI 3.1 
    SAP Integration Kit
    Crystal 2008 (12.2.0.29)

    I believe this note pertains to your issue:
    1319430 - SAP Users not prompted to change their passwords    
    Version   1     Validity: 03/18/2009 - active   
    Language   English 
    Edit Show change log 
    Content:    Summary   |   Header Data   |   References   |   Product
    Symptom
    When the SAP system has a new user set to change their password on the initial login and the user attempts to log into Infoview using the SAP integration kit the user is not prompted to change their password.
    Reproducing the Issue
    When SAP system has a new user set to change password on initial login and user attempts to log into Infoview using SAP integration kit the user is not prompted to change password.
    Cause
    This occurs because, as with other 3rd party integration solutions, we do not write to the authentication system but only read the information that is there. Thus we are unable to "CHANGE" an SAP password.
    Resolution
    Have a new user access the SAP GUI or another SAP utility before accessing InfoView for the first time.
    Keywords
    SAP PASSWORD RESET NEW USER

Maybe you are looking for