Initial password must be reinitialized

Similar Messages

• SAP  Portal  unable to recognize  AD requirement to change initial password

  Hi,
  We configured Active Directory server (2008 R2) as UME for SAP Portal (Netweaver 7.01  SP7).  We matched as many of the security parameters as possible* (ex.  minimum password length, require one number in password, etc.).  The AD parameter "User must change password at Next logon" is set ON.  However, upon attempt to login to SAP Portal with the initial password that was set in AD we are not prompted to change the password.  Rather, the SAP Portal logon attempt fails with message:  "Authentication Denied"
  Has anyone dealt with this problem before?
  Other information: 
  *Our MarketPlace researched indicated that the SAP Portal parameter "ume.ldap.security_policy.password_change_required" (which would correspond to the AD parameter mentioned above) is no longer an available parameter for our SAP Portal version (Netweaver 7.01  SP7).
  In our version of SAP Portal, the AD parameter "User must change password at Next logon" has one parameter which is similar, but does not directly correspond.  The SAP Portal parameter which we do have is "No password change required".  Notice this is the logical opposite of the AD parameter:  AD says to require the password, whereas SAP Portal says it's NOT required.  Therefore, when the AD parameter is set to ON, this results in the Portal parameter being set to OFF.  Even still, we face the login failure.

  You have to note here that implementing SAP IDM is only ONE of the possible options you have. The implementation of IDM in itself is a huge undertaking because of the number of systems and the decision making process involved with it.
  In one of my previous implementations, when SAP IDM was not around, we had Tivoli Access Management tools which took care of the password problems.
  even though we implement IDM and deploy IDM UI on Portal , still user should change password before it expires on AD right ?
  Even with IDM in place, user will not be able to login to SAP portal with an expired AD password. However, in our case, we provide a link on the logon page of SAP portal to the IDM password self service application which will allow the user to change the password.
  Does IDM has any feature like sending notifications before password expiration period ?
  I don't think it does - however I have not explored this option in IDM since most of our users do not have email addresses and we cannot send a reminder. You should be able to create a task (with some customization) in IDM to achieve this.
  Also will the IDM implementation help us in creating users with option "User should change password at next logon" on AD ?
  Yes - IDM does create users with option "User should change password at next logon" in AD.
  With IDM in place and tied to AD, it should be the central place of creating users. It is recommended NOT to create or manipulate the users in any target systems (SAP, AD, etc). IDM should be taking care of all the user provisioning activities.
  is this like a work around to allow users to change password from Portal before it gets expired on Active Directory(AD) ?
  This is not a work around - it is rather a full blown identity management solution for all your company needs.
  You will get a lot of your IDM specific questions answered in the Identity Management forum.
  Thanks,
  Shanti

• [Initial Password] CUA vs IdM

  Hi,
  Please correct me if I am wrong: when the CUA cha,ges to password in the child systems, they are set as initial. It means that, on the first logon, the user has to change it.
  Is there a possibility for IdM to set "definitive" password. It seems so to me after reading
  |                     |        CUA        |  Identity Management       |
  | Password management | Initial passwords | yes incl. workflow support |
  in https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab, page 29
  Thanks in advance.
  Best regards,
  Guillaume

  IdM can only do what SAP permits.  Depending on how one is authenticating determines the password policy.  An initial password, an expired password and a password reset by an administrator all set the same flag.  The user must change their password on next logon.  The only way around this to write directly to the db with SAP's hash.  A terrible idea and a big security risk. 
  UME uses a delegated model so the password policy depends on what you are authenticating against.  This question is normally asked because a company wants to do password synchronization; one is better off doing SSO.

• Initial password change requested with SSO

  Hi all,
  we have well working SSO with EP6 SP2 and standalone ITS. SSO is based on SAP logon ticket. Only one annoying thing appears.
  If a new user is created in SAP R/3, ITS asks for changing of password.
  Does it mean that the user must initially (and later again according to password policy) change the password although we do not use direct access to R/3? If no password change should be required with SSO, how to solve this issue?
  EP6 SP2 P4 HF8
  ITS 6.2 PL14
  R/3 4.7
  Thanks in advance for any good idea.
  Pavol

  Hello,
  We are on a very similar setup as above:
  EP 6.0 SP12 with ITS.
  What we are seeing is that the initial password dialog comes up but there is only the input fields but no "Submit" or "Change" buttons. In summary, new users are not able to change their password through the Portal.
  Any ideas why this might be happening?
  Thanks,
  Siva.

• Problems in Changing LDAP (AD) Initial Password from Portal

  Hello ,
  We are using EP 7.01 SP 05 with Microsoft AD as our user data store (flat structure).
  For newly created users on AD, we are wanting them to be able to change their initial passwords from portal (on their first logon).
  SSL is set up between EP and AD.
  The user we are using to access LDAP has write privileges.
  We are using a standard configuration file (writeable version) (dataSourceConfiguration_ads_writeable_db.xml)
  We are able to modify users from User Administration console (including password change) without any problem.
  However, there are two problems we are facing:
  1. If the flag "User must change password at first logon" is set on AD/LDAP, then on Portal the user is not getting prompted for changing password - and User authentication failed
  2. If the flag "User must change password at first logon" is NOT set on AD/LDAP, then - User is getting prompted to change the password" - however password change is not going through successfully - Error says - "Missing".
  From logs I can see the following error:
  #1.5#0050568767DE006B0000000700005D7C00048EC433D5B0FC#1282873241046#com.sap.security.core.persistence#sap.com/irj#com.sap.security.core.persistence.[cf=com.sap.security.core.persistence.datasource.imp.LDAPPersistence][md=changePassword][cl=64495]#Guest#0#SAP J2EE Engine JTA Transaction : [044ffffffd35700451]#n/a##19ae55e0b17c11dfb0d00050568767de#SAPEngine_Application_Thread[impl:3]_23##0#0#Error##Java###Can not change password
  [EXCEPTION]
  {0}#1#javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, \#1:
  0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
  ]; remaining name 'cn=portal test'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2943)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2749)
  at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1449)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
  Can any one pls suggest what is this error about and what I am missing.
  Thanks ,
  Shanti

  Hello All,
  Thank you for your time and valuable replies.
  I got rid of the "Missing" error and now I am one step away from the solution.
  Now I am at a stage where: (for a user with initial password on LDAP)
  1. In AD if "User needs to change password on next logon" flag is NOT set - user can successfully logon to portal. (without being prompted for password change)
  2. In AD if "User needs to change password on next logon" flag is set - then user cannot logon to portal - I get User authentication failed error.
  I have went through a lot of discussions around this topic on SDN and different SAP Notes. I have tried to maintain UME Security policy as close as possible to LDAP (I cannot make it exactly same due to some differences in LDAP and UME).
  However, when and administrator can change passwords from UME successfully without any problem - it means that:
  - Security policy is being met
  - Service user used to communicate to LDAP has all the required access
  The only missing piece of the puzzle is how to enable the users to be able to change their passwords (with initial or expired passwords).
  According to Note 865399 - the default value for The property ume.ldap.access.set_pwd is TRUE.
  Also the property ume.ldap.access.pwd.via.usercontext can only be TRUE when ume.ldap.access.set_pwd is set to FALSE.
  So, I have tried setting the following without any success:
  <ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
  <ume.ldap.access.set_pwd>false</ume.ldap.access.set_pwd>
  Thanks,
  Shanti

• Initial password for SAP* in SAP NetWeaver 2004s ABAP Edition

  Hello,
  I have just installed the SAP NetWeaver 2004s ABAP Edition on my PC and I want to setup some new clients to simulate an ALE model.
  Does anyone know the initial password for SAP* ?
  I have already tried PASS and pass because I know it is case -sensitive now but it did not work.
  Thanks a lot.
  Wim Van den Wyngaert

  Hi,
  initial SAP* password is 06071992 
  DDIC is 19920706

• How to programmatically set initial password when a user is created in OID

  We are using the odihragent synchronization process to automatically create users in OID when an employee record is created. We would like to set the initial password for the newly created user to their last name + the last 4 digits of their SSN.
  The odihragent process is successfully creating the user in OID and populates the last name and the last 4 digits of the SSN in OID. According to an open SR I have with Oracle, we cannot use the odihragent process to set the initial password because any time the employee record is updated, the synchronization process will reset the password to last name + SSN. They have recommended that we use a pl/sql plug-in to set the password using the WHEN_ADD plug-in procedure.
  I am new to using OID and plug-ins and the examples provided in the Developer's Guide are limited.
  I would like to know if anyone else is using plug-ins or another process to set initial passwords when a user is created? If you are using plug-ins would you be willing to share a code sample?

  I am surprised that I have not received any responses... Surely there are others who are experienced with programmatically setting passwords when new users are programmatically created. Does anyone have any pointers on how to best accomplish this?

• Initial password when LDAP user created i SAP?

  Hi,
  I'm about to configure LDAP integration with SAP, where users that exist only on the LDAP server are created in SAP.
  Are any initial passwords automatically set for these users in SAP, or will an administrator have to go in and set an initial password for all created users?
  Thanks, Oscar

  Hi,
  I assume you will use the LDAP synchronization in an ABAP system. Here you have to maintain the fields to be synchronized. The password field is typically not synchronized but you can fill in the logondata hashvalue. I never tried to get the hashvalue out of LDAP because LDAP and SAP may use different hash algorithms. The better way is to set a fixed value in the mapping. You can use SAP functions to maintain the hashvalue.
  Transaction for maintaining the mapping: LDAPMAP.
  Regards
  Rainer

• Jco Function issue : The initial password has expired (request a new one)

  Hi Friends,
       Could you please help me to resolve this issue. I am able to start my session using  SAP Jco Start Action block. But while invoking the BAPI using
  SAP JCo Function action block I am getting the below error. I am 100% sure that my credentials are correct. I am able to logon to ECC using SAP Front GUI.
  I am using MII 14.0 patch SP4
  Any help on this very much appreciated.
  <Rowsets DateCreated="2014-07-22T12:33:49" EndDate="2014-07-22T12:33:49" StartDate="2014-07-22T12:33:49" Version="14.0 SP4 Patch 0 (Nov 22, 2013)">
      <FatalError>JCOProxy error: Problem retrieving JCO.Function object: The initial password has expired (request a new one)</FatalError>
  </Rowsets>]]
  Thanks in advance
  Shaji

  Hi Friends,
  This issue got resolved when I cleared the BAPI list cache at MII using below URL.
  http://hostname:port/XMII/JCOProxy?Mode=Reset

• CUA environment - changing the initial password of a user.

  Hi Gurus,
  I've encounter a perculiar issue when I assign an initial password to a user.
  My system setup is based on CUA where my Central admin is client 100, with child client 200.
  - I create an ID in client 100, set it to system 200, set initial password as "passW0rd". Save
  - The ID was created in 200
  - Logged in Client 100 using ID and "passW0rd", prompted for new password (i canceled the login)
  - When back to client 100 CUA, in SU01 I select ID and click "EDIT", under the logon data I retype the initial password to "P4ssword"
  - checked SCUL, it's green and user change
  - Logged in Client 100 using ID and "P4ssword", error in password
  - tried the old "passW0rd", prompted for new password.
  I puzzled why the CUA did not redistribute the changed initial password to client 200, another can any ideas?
  I also tried SU01 and click "reset password" button instead of "edit", the changed password was able to distributed to client 200.
  By password change is ok this way or not ok if change within edit mode?
  Thanks,
  Jansen

  Hi Sergo, 
  Yes I realise the "change password" works but for my case I cannot use that function. Any other suggestions. Cos by right even if I were to change in the logon data it should work right?
  Hi Juan,
  Yes I've checked, the IDOCs are in and successful.

• SAP ABAP/BOBJ Infoview initial password change

  Hi all,
  We are using BOBJ Crystal Repors and BI for reporting. All authentication and data security is working great including user/role sync from ABAP stack.
  My problem is as follows - Say I reset the initial password in the ABAP side for a user id. I log into BOBJ Infoview and the new inital password syncs as expected. However.....the infoview does not promt for the user to change the initial password as the ABAP side or portal would. Now the user maintains the initial password the admin set. Again, our portal or ABAP system forces the user to change the initial password but I can't seem to have the infoview do the same.
  Any guidance would be greatly appreciated.
  Thanks!
  SAP BI - Netweaver 2004 S
  BOBJ Enterprise XI 3.1 
  SAP Integration Kit
  Crystal 2008 (12.2.0.29)

  I believe this note pertains to your issue:
  1319430 - SAP Users not prompted to change their passwords    
  Version   1     Validity: 03/18/2009 - active   
  Language   English 
  Edit Show change log 
  Content:    Summary   |   Header Data   |   References   |   Product
  Symptom
  When the SAP system has a new user set to change their password on the initial login and the user attempts to log into Infoview using the SAP integration kit the user is not prompted to change their password.
  Reproducing the Issue
  When SAP system has a new user set to change password on initial login and user attempts to log into Infoview using SAP integration kit the user is not prompted to change password.
  Cause
  This occurs because, as with other 3rd party integration solutions, we do not write to the authentication system but only read the information that is there. Thus we are unable to "CHANGE" an SAP password.
  Resolution
  Have a new user access the SAP GUI or another SAP utility before accessing InfoView for the first time.
  Keywords
  SAP PASSWORD RESET NEW USER

• GRC 10: Initial password for multiple users creation in a ARQ request???

  Hi All,
  I was trying to create a request in ARQ for multiple users. I noticed that, I could add all the necessary required information for multiple users using the template. I added the roles as well. However, I could not set the initial password for multiple users as the tab "User System Details" (where the initial password is provided for a single user) is disabled!!!
  The users were successfully created in the R/3 system. However, due to non-availability of initial password, these users could not log into the R/3 system.
  May I know how to set the initial password for multiple users?
  Regards,
  faisal

  Vit,
  I was trying to test this multiple user creation scenario. But I am surprise to get a template where in I have only below mentioned fields:
  1. User Name
  2. User Id
  3. Email
  I filled these details and uploaded. Then filled the "User Access" details. While submitting the request, I got the error:
  "Last name is not mentioned for user id XXX"
  But there is not such column in provided template by GRC!
  I added 2 columns: First Name and Last Name and saved it and uploaded again. These details are not picked up!
  Following are the only columns shown:
  1. User Name
  2. User Id
  3. Email
  4. Manager
  Out of above, only "Manager" field is editable and others are disabled.
  Last time I remember, I has got complete template with all the columns. Unfortunately, I have deleted it and not available with me now.
  Any idea you have why am I getting such incomplete template?
  Regards,
  faisal

• TMSADM: Initial password expired

  Dear community,
  I've a urgent question, because the SAP support hasn't answered yet and I have got to fix the problem.
  Because of security reasons we changed the following instance Parameters:
  login/password_max_new_valid = 1 (The initial password of new users is only valid on the day of creation)
  login/password_max_reset_valid = 1 (The initial password of an reseted user account is only valid on the day of change)
  Now we have an problem with our Transport Management System (STMS) and the used communication user TMSADM. One day after the change of the parmters we always got an login prompt when we wanted to see the import queue of the systems in transaction STMS. When I start a authority-check in transaction SM59 for the RFC [email protected]_SID Iget the error "The initial password has expired; request a new one".
  Now comes my question. Does anyone know how to fix the problem? I havn't found any solution in the SAP Service Marketplace and the SAP Support only wrote me that I should check the note 761637 and 713622, which don't fit exactly to my problem.
  I'm searching now for an possibility to set an password for an communication or CPIC user. When I set an password in SU01 I can only set an initial password. So does anyone knows how to do? E.g.: when I have an dialog user i can change the password at startup, but how can I change it at an communication user?
  Another posibilty is to run the check of the initialpassword not for the user TMSADM. Is this possible and if yes who can me tell how?
  Please help me, I'm in urgent trouble, because me colleagues are angry about this result of changement.
  Many thanks in advance.
  Michael

  I don't think that it is an good idea to change the password on the database. The values are only saved as hash-values and so it is not possible.
  Further I found a solution on my own to fix the problem. I changed the user type from communiction to dialog and so I set the password in the dialog screen at login.
  After that I changed the user type to communication aggain.
  It works. I've just tested it and the next days I will take the change for our productive system.
  Bye

• Disable Initial Password Reset.

  Hello;
  Is it possible to set that the user do not change the initial password
  when created or even if the SAP Administrator reset it, the first time
  the user log on the system.
  Thanks;
  Ali Gumusoglu

  Hi Ali,
  Yes, it is possible; for that follow below steps:
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Click on below property and set value is FALSE and click and "SET" button.
  "ume.logon.security_policy.password_change_required = FALSE"
  4.Save.
  5. Restart the engine.
  Now
  1. Login with an "Administrator"
  2. Create a user and define a password like "init123"
  3. logoff from "administrator"
  4. login with new user; password is "init123"
  now system will not ask to change password.
  Reward Points; if it is usefull.
  Thanks,
  Nagaraju Parlapalli

• Batch user creation - what is the initial password?

  Hello experts,
  I'm trying to import a list of users using the batch import (User Administration -> Import) as described here:
  [http://help.sap.com/saphelp_nwce711/helpdata/en/48/a8a834da282883e10000000a42189c/frameset.htm]
  I see that the users are created in the UME.
  What is the initial password for the newly created users?
  Can I specify this somehow?
  Best regards,
  Florian

  Hi Florian
  Please check the following link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
  and
  http://help.sap.com/SAPHELP_NW04S/helpdata/EN/f6/0edf3d0eb8af5ee10000000a114084/content.htm
  The link :
  http://help.sap.com/saphelp_nwce711/helpdata/en/48/a8a834da282883e10000000a42189c/frameset.htm
  itself contains ample info.Please go through the UME instructions.
  Regards
  Chen