Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Active Directory Change Password Not Working

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Hi -

Trying to get change password functionality working for existing Active Directory accounts. I have configured RESETANDCHANGEPASSWRDJSON as follows:

{
"RESET": {
"pwdLastSet": "-1",
"lockoutTime": 0,
"title": "password reset",
"pwdReset": "true",
"UnicodePwd": "${account_password}"
},
"CHANGE": {
"pwdLastSet": "-1",
"lockoutTime": 0,
"title": "password changed",
"pwdReset": "true",
"UnicodePwd": "${account_password}"
}
}

I'm able to generate the task and it "completes" successfully. I am able to confirm via email that Saviynt is generating a password, but the account password in AD is never updated. There is no error in provisioning. Here is an excerpt of the logs and I did notice something strange. It mentions on the task that the endpoint has rotateKey disabled hence skipping rotate password. However, that is referring to a CPAM config. This function is not CPAM related at all.. this is just a regular user account in AD. Any ideas? See log below:

082 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - taskList: [com.saviynt.ecm.task.ArsTasks : 230792]\n"
086 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - task: ACCOUNTNAMEREMOVED\n"
087 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - in if\n"
090 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - objct found =  null\n"
171 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - inserted 1 record in P_History table\n"
175 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - accounts total records get - 3 and totalLastPassword = 2\n"
175 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - deleting entries more than the lastpassword value
175 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - deleting phistory entry with id - 57\n"
179 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService  - exit executeP_History\n"
187 [quartzScheduler_Worker-5] DEBUG services.ArsTaskHelperService  - Validating tasks for Securitysystem - Active_Directory_Test\n"
188 [quartzScheduler_Worker-5] DEBUG services.ArsTaskHelperService  - accountName = ACCOUNTNAMEREMOVED
199 [quartzScheduler_Worker-5] DEBUG pam.PamService  - inside convertJsonStringToMap\n"
199 [quartzScheduler_Worker-5] DEBUG pam.PamService  - rotateKey - false\n"
202 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Inside updateProvisioningTries..\n"
208 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Enter completePasswordTasks\n"
214 [quartzScheduler_Worker-5] DEBUG pam.PamService  - inside convertJsonStringToMap\n"
214 [quartzScheduler_Worker-5] DEBUG pam.PamService  - rotateKey - false\n"
223 [quartzScheduler_Worker-5] DEBUG pam.PamService  - inside convertJsonStringToMap\n"
223 [quartzScheduler_Worker-5] DEBUG pam.PamService  - Error while converting JsonStringToMap\n"
223 [quartzScheduler_Worker-5] DEBUG pam.PamService  - Account PAM Type : null\n"
224 [quartzScheduler_Worker-5] DEBUG services.ExternalConnectionService  -  credentialChangeConfig NOT found in connection : Active_Directory_Test\n"
227 [quartzScheduler_Worker-5] DEBUG pam.PamService  - hasPAMEndpointAssociation - false\n"
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Going to complete Task\n"
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Completing task 230792\n"
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - updateDate 2023-04-14 03:46:47.0\n"
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Endpoint Active_Directory_Test has rotateKey disabled hence skipping rotate password.\n"
238 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - updateDate after updation of task Fri Apr 14 03:47:39 UTC 2023\n"
238 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Exit completePasswordTasks\n"
240 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Config for ARSTASKCOMPNEWPWDcom.saviynt.ecm.utility.domain.EcmConfig : ARSTASKCOMPNEWPWD\n"
241 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - Task Complete Email Template For New Account Password = null\n"
241 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - start converting accTasksMap to endpointaccTasksMap\n"
243 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService  - finished converting accTasksMap to endpointaccTasksMap\n"

 

 

 

2 REPLIES 2

Rishi
Saviynt Employee
Saviynt Employee

@BrandonLucas_BF we are analyzing this question and will provide response shortly

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Hi, providing an update. I did further testing and discovered that there is in fact some kind of connection to CPAM functionality.

I discovered on the endpoint in question (AD) that under PAM Attributes, PAM Enabled was set to OFF. However, there was a configuration value in place that included "rotateKey":"false".

I changed the PAM Attributes configuration field to the following:

{"maxSessionWarnPeriodInSec":null,"maxReqExpWarnPeriodInSec":null,"maxSessionLimitInSec":null,"maxConcurrentSession":"50","maxInActiveTimeInSec":null,"maxInActiveWarnPeriodInSec":null}

I also made the endpoint PAM Enabled. This allowed the testing to progress further, but revealed I had some issues with the RESETANDCHANGEPASSWRDJSON. I adjusted that to the following:

{
    "RESET": {
        "pwdLastSet": "-1",
        "title": "password reset",
        "userPassword": "${randomPassword}"
    },
    "CHANGE": {
        "pwdLastSet": "-1",
        "title": "password changed",
        "userPassword": "${randomPassword}"
    }
    }
 
Now password reset is working. I will wait to hear back from your analysis before marking this as the resolution. It seems that maybe the PAM attribute configuration is overriding the JSON if the config is not blank. In our case, we will be testing PAM on this endpoint anyway, so I went ahead and turned it on.