Set user password auto expired in ACS Server

Similar Messages

• User Password Not Replicated during ACS Replication

  I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.
  Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.
  How to make sure replication is run even in case of user password change and not just when a user is added or removed.

  Hi,
  What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?
  Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on
  configuration/changes in Active Directory itself.
  Regards,
  Jagdeep

• Scheduled Report Fails To Run If User Password Has Expired

  Why can't a report, that has been scheduled for a user whose password has expired, continue to run and go to its predefined destinations?
  A user doesn't know until he/she attempts to log in that there is a password expiration issue.  They may have scheduled the report to go to a  multitude of inboxes, but if their password has expired, the report doesn't run.
  I can understand "some" issues with the necessity to stop the report until credentials are updated correctly.  However, Business Objects doesn't notify a user until it has expired, thus making it too late for those expecting something in their inbox.
  Is there any method of notifying users that their password is going to be expiring soon, in advance?  In other words, is there any "proactive" feature within Business Objects for notifying the user of an upcoming need to change their password?
  HepMe

  There is nothing built in to BusinessObjects for this, but there may be third-party tools available or you can write code that would do this.
  In Query Builder, run this query:
  Select SI_ID, SI_Name, SI_LAST_PASSWORD_CHANGE_TIME, SI_UPDATE_TS, SI_LASTLOGONTIME
  from CI_SYSTEMOBJECTS where SI_Kind = 'User' and SI_NAME != 'Administrator' and SI_NAME != 'Guest' and SI_PASSWORDEXPIRE = 1
  order by SI_LAST_PASSWORD_CHANGE_TIME desc, SI_UPDATE_TS desc
  Users who are new and haven't yet changed their password will not have a value for SI_LAST_PASSWORD_CHANGE_TIME, so you can use SI_UPDATE_TS to determine when they were created.
  You could build an application that uses this query to determine who is getting close to password expiration and send out an email reminding those users to change their passwords.
  -Dell

• Changing user password in the external LDAP server from weblogic

  Hi !
  We have been successful in configuring the ldap security realm from weblogic 7.0.
  We have also done the user authentication.
  Now we want to allow the user himself to change his password from the application.Can
  the user password which is stored in an iplanet directory server be changed from
  application?If yes , then is there any extra configuration that needs to be done

  I am not sure whether u got an answer for this..
  But iplanet provides a web-link for end-users to change their LDAP password...u
  can just give this link in ur app ..and iplanet will take care of the rest..
  Krish Venkataraman
  Bank Of America Corp.
  Senior Analyst
  "Mitali" <[email protected]> wrote:
  >
  Hi !
  We have been successful in configuring the ldap security realm from weblogic
  7.0.
  We have also done the user authentication.
  Now we want to allow the user himself to change his password from the
  application.Can
  the user password which is stored in an iplanet directory server be changed
  from
  application?If yes , then is there any extra configuration that needs
  to be done

• How to set required number of days for the user passwords to expire

  How do I set the duration when users are required to change their passwords?  This is an internal control measure to ensure control over users' logins.
  Thanks a lot.

  You can also set the lifetime of a single password dependent on it's "idle" status:
  - Initial password at user creation. (e.g. 5 days)
  - Reset password by admin. (e.g. 1 day)
  - Productive password not used (e.g 91 days)
  .. and the minimum validity of the password, regardless of how often it is used (not idle).
  - Productive password expiration time. (e.g. 90 days)
  You can also manually observe what is going on via report/transaction RSUSR200.
  If you take a look at the documentation on the parameters in the link already provided, you will see the logic and the dependencies between them. The selection fields of RSUSR200 reflect the same.
  How you rate the risk of passwords and these settings, also depends on many other things - most notably how disciplinced admins are at using the password wizard (in my opinion).
  Cheers,
  Julius

• How to set password never expires for a user?

  Hello,
  I can't seem to find in the Administrative Console a place to enable "Password never expires".
  I know that if I edit the USR_PWD_NEVER_EXPIRES field in the OIM DB and put the value '1' it will work.
  However, I'd like to know how and if it is possible to activate this option on a user via OIM.
  Thanks in advance,
  Tomic

  Hi,
  Now I got it.Try this one.
  In FormMetaData.xml you will find.
  <Attribute name="-13" variantType="String" dataLength="1" map="Users.Password Never Expires" />
  Modify it to.
  <Attribute name="-13" variantType="String" dataLength="1" displayComponentType="CheckBox" map="Users.Password Never Expires" />
  Add this in.
  <Form name="3">
  <AttributeReference editable="true" optional="true">-13</AttributeReference>
  I never need this but I hope above will work.
  About disabling the resource I have few suggestion for you.
  1.You can have your password policy consistent across the resources you are integrating in OIM.
  2.Write an entity adapter so that when ever password is expired then can disable all provisioned user.
  3.Alternatively you can also write a schedule task which will check for password expire date and disable the resource.
  4.You will also need to enable the resources when password is changed.You can catch change password event through event handler or entity adapter.
  Please let me know if you have fllow up questions.
  Regards
  Nitesh

• Communications user password expires

  Hi,
  The password of our  communications user (ZCONTRANS) always expires/deactivated.
  How can I set tha password of this particular user not to expire? 
  We could not chage the login/password_expiration_time parameter because we need dialog users password to expire every 90 days (for audit requirement).
  thanks,
  kbas

  HI,
  use the usertype 'SYSTEM' instead of usertype 'Communication'. Passwords of 'System'-users do not
  expire. (the usertype can be set in SU01->tab 'logondata')
  b.rgds, Bernhard

• Expired user password - oracle 11g

  hello,
  how can I turn off stupid user password expiration ?
  I have used this sql:
  ALTER PROFILE DEFAULT LIMIT
  FAILED_LOGIN_ATTEMPTS UNLIMITED
  PASSWORD_LIFE_TIME UNLIMITED;
  How can I check if user password will not expire ?
  How can I check if stupid default password expire option is turned off ?
  How can I check when user password will expire ?
  How can I disable passsword expiration for specified user ?
  p.s. sorry for word "STUPID", in my opinion this option generate more problems (big and huge) than benefits. houpfully server still keeping authentication sessions
  Edited by: Dlugasx on Sep 14, 2009 11:40 PM

  Hi,
  How can I check if user password will not expire ?
  select LIMIT from dba_profiles where RESOURCE_NAME ='FAILED_LOGIN_ATTEMPTS'
       and PROFILE = (select profile from dba_users where username = 'SCOTT');Replace scott with user you are interested in , if it is unlimited or no rows selected it means it wont expire.
  How can I check if stupid default password expire option is turned off ?
  same as above
  How can I check when user password will expire ?
  same as above
  How can I disable passsword expiration for specified user ?
  select profile from dba_users where username = 'User you are interested in';
  ALTER PROFILE <name of the profile from above query> LIMIT
  FAILED_LOGIN_ATTEMPTS UNLIMITED
  PASSWORD_LIFE_TIME UNLIMITEDRegards
  Anurag Tibrewal

• SLD Disconnection due to User Password Expiration

  Hi,
  Our Portal runs with NW04 SP17 and we've implemented security parameters so users password will expire after 30 days.
  As we're developing many Webdynpro applications that connects to backend R/3 Systems we're using SLD Jco connections.
  But once a month our applications stops working as the SLD connection users password expires.
  This is a very big problem for us. We don't want to change users password every month and make our application users unhappy.
  Any idea? or solution purposal?
  regards

  Hi,huseyin,
  We've met this problem now.Can you tell me how to solve this problem by the "technical user" type in UME?
  Thank you~!
  Best regards,
  delma

• Need Help, setup OBIEE 11g user password expiration

  Hi,
  Any one know how to setup OBIEE user password expiration?
  Requirement: create demo user in OBIEE and the demo user password should expired weekly.
  Thanks,
  allan

  Hello Allan,
  In 10 version we can do that,Am not sure we can do it in 11 version.Please wait for OTHER guru's response.
  Thanks,
  Sasi Nagireddy..

• Export User-Database between ACS-Server

  Hi everyone ,
  an ACS 2.3 is running under Unix with 3000 based user. The job is, to migrate the user-database to a new ACS-Server under Windows.
  On the unix-version 2.3 there is no way to export the database to external.
  The only way, i hope, is to mirror the old and the new server as redundant server and if the database is mirrored on both server, than the database is ready for export.
  Is this correct?
  Is there an other way?
  Thanks for your input.
  Ralf

  The migration should go to version 3.1 or 3.2 .
  Ralf

• Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

  Hello,
  I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
  but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
  *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
  *If anyone can help me figure out why it doesn't work, that would be great!*
  P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
  Here's my java code:
  {code}import javax.naming.*;
  import javax.security.auth.*;
  import java.security.PrivilegedAction;
  import java.io.UnsupportedEncodingException;
  public void changeSecret((String uid, String oldPassword, String newPassword)
       throws NamingException, ACException{
  try {
       K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
       LoginContext lc = new LoginContext("marker", cb);
       lc.login();
       Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
       catch(LoginException e) {
       try {
            lc.logout();
       catch(LoginException e) {
  }ChangePasswordAction.java is:import javax.naming.*;
  import javax.naming.naming.directory.*;
  import java.io.UnsupportedEncodingException;
  private class ChangePasswordAction implements PrivilegedAction {
       private String uid;
       private String quotedOldPassword;
       private String quotedNewPassword;
       public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
            this.uid = uid;
            quotedOldPassword = "\"" + oldPassword + "\"";
            quotedNewPassword = "\"" + newPassword + "\"";
       public Object run() {
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            try {
                 DirContext ctx = new InitialDirContext(env);
                 ModificationItem[] mods = new ModificationItem[2];
                 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                 ctx.modifyAttributes(uid, mods);
                 ctx.close();
            } catch (NamingException e) {
            } catch (UnsupportedEncodingException e) {
            return null;
  }K5CallbackHandler is:import javax.security.auth.callback.*;
  final class K5CallbackHandler
  implements CallbackHandler {
       private final String name;
       private final char[] passwd;
       public K5CallbackHandler(String nm, String pw) {
            name = nm;
            if(pw == null) {
                 passwd = new char[0];
            else {
                 passwd = pw.toCharArray();
       public void handle(Callback[] callbacks)
       throws java.io.IOException, UnsupportedCallbackException {
            for(int i = 0; i < callbacks.length; i++) {
                 if(callbacks[i] instanceof NameCallback) {
                      NameCallback cb = (NameCallback) callbacks;
                      cb.setName(name);
                 else {
                      if(callbacks[i] instanceof PasswordCallback) {
                           PasswordCallback cb = (PasswordCallback) callbacks[i];
                           cb.setPassword(passwd);
                      else {
                           throw new UnsupportedCallbackException(callbacks[i]);
  }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
  marker {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

  This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
  My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
  Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
  In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
  Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
  //Eg. auth-conf; confidentiality, auth-int; integrity
  //confidentiality is required to set a password
  env.put("javax.security.sasl.qop","auth-conf");
  //require high strength 128 bit crypto
  env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
  You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
  Good luck.

• Which permissions required to reset users' password

  Hi,
  I am trying to find out which 'group permissions' are required in order to reset password of any user in OIM. (by a user that is not xelsysadm)
  I gave 'Update' right on 'Users' object but it didn't help. The following exception occurs ;
  ERROR,03 Jun 2009 16:43:48,153,[XELLERATE.SERVER],Class/Method: tcDataObj/eventPreUpdate Error :Data Object Update Permission denied
  ERROR,03 Jun 2009 16:43:48,160,[XELLERATE.APIS],Class/Method: tcPasswordOperationsBean/setXelleratePassword encounter some problems: Error occurred while setting user password.
  ERROR,03 Jun 2009 16:43:48,161,[XELLERATE.APIS],Class/Method: tcPasswordOperationsBean/setXelleratePassword encounter some problems: Error occurred while setting Xellerate Password
  ERROR,03 Jun 2009 16:43:48,161,[XELLERATE.APIS],Class/Method: tcPasswordOperationsBean/setXelleratePassword encounter some problems: Error occurred while setting user password.
  Thor.API.Exceptions.tcAPIException: Error occurred while setting user password.
       at com.thortech.xl.ejb.beansimpl.tcPasswordOperationsBean.setXelleratePassword(Unknown Source)
       at com.thortech.xl.ejb.beans.tcPasswordOperationsSession.setXelleratePassword(Unknown Source)
       at com.thortech.xl.ejb.beans.tcPasswordOperations_rq3jhy_EOImpl.setXelleratePassword(tcPasswordOperations_rq3jhy_EOImpl.java:213)
       at Thor.API.Operations.tcPasswordOperationsClient.setXelleratePassword(Unknown Source)
  Does anyone know the correct permission set ?
  Kind regards,
  Ece

  Hi,
  There is no specific permission to change the password. Change password is also an update operation.If want to give user an update permission then you might have to do following.
  1.Suppose you want to modify user A belongs to Organization A.
  2.The user that want to Modify user A is User B and its belongs to group Group B.
  3.You need to go to Manage Organization->Search Organization A->Administrator and then you need to Add Group B into it.
  4.Now all the user of Group B can create/modify all the users in Organization A.
  Regards
  Nitesh

• How do I set a password so no-one can use my PC?

  I tried "set user password" and "set administrator password" in BIOS but they don't work like it has on my previous PCs. I want it to ask for a password before even booting up Windows but instead it only asks for it to use the BIOS.
  Is there any setting I need to change?

  No...I was thinking more on the lines of disconnecting, or just turning the monitor off! Also, you can use clear tape, and tape down the "enter" key....no boot or no video!!!!! Nobody thinks of stuff like that! I learned it from the IT dept. at the engineering company I used to work at. They were always messin' with each others computers...another thing you can do is turn down the visual settings from the monitor controls!!!! Works every time!!!!

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html