IBM Security Verify

 View Only

ISVA - Federated Active Directory Password Reset Not enforcing AD Password History requirement

  • 1.  ISVA - Federated Active Directory Password Reset Not enforcing AD Password History requirement

    Posted Tue October 31, 2023 07:48 AM

    We are implementing Password Reset AAC workflow against Federated Active Directory. We are using out of the box mapping rule. Our Active Directory has following Password Policies enabled: Complexity, Password Length and Password History. The SCIM call is not able to enforce Password history since the bind ID is the AD Admin service account. It is able to enforce Complexity and Password Length. We attempted the SCIM Uesr Profile "Enforce Password Policy". Based on the IBM tech note, with this setting, Admin service account will set the user password with a random password and then user will use the random password to update the password as entered by the user on the Password reset screen. We received "INSUFF_ACCESS_RIGHTS" error.traceString ENTRY SCIM resp.getBody(): {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"[LDAP: error code 50 - 00000005: SecErr: DSID-031A11ED, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\u0000]","status":"500"}

    Apparently, Service account has not issue set the password but it seems that it failed at user updating the password. We know this user can update its own password using pkmspasswd and expiring password page.  

    Have anyone ever implement Password Reset using Federated Active Directory and enforcing AD Password History requirement? or Run into similar issue with AD.



    ------------------------------
    Hoy Teoh
    ------------------------------