Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/12/2024 06:33 AM
Hi,
I have an Active Directory endpoint configured in Saviynt.
I am looking to change the password of an account in Active Directory during a user update rule.
I have an application password policy configured in Saviynt, which meets my AD requirements. I have this policy configured in the security system 'Policy Rule'.
I also have a configured 'RESETANDCHANGEPASSWRDJSON' on the connection.
The User update rule logic is correct and creates a Change Password task as expected. But this task is what is failing. This is intermittent and sometimes will work, sometimes will fail. I cannot locate the issue.
Password Policy:
RESETANDCHANGEPASSWRDJSON (I have tried many variations, all with the same result):
{
"RESET": {
"pwdLastSet": "-1"
},
"CHANGE": {
"pwdLastSet": "-1"
}
}
The error code:
Error while change password operation for account-REDACTED in AD - [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12E8, problem 5003 (WILL_NOT_PERFORM), data 0 ]
Other things to note:
This connection is operating over port 636.
I have tried various password policy changes, making it extremely complex, but yet the same issues occur.
This is intermittent, sometimes the password change occurs, but mostly it seems to fail. It's random?
I have tried various different RESETANDCHANGEPASSWRDJSON, with the same result..
If I change the password via the 'Change Password' -> 'Reset Account Password For Others' and select the endpoint, manually type a password. (Remember the Saviynt Password policy I configured still applies here) Then the password change works flawlessly. It creates the task and the password changes, as expected.
Why is this occurring and does anyone know what the issue is?
Many thanks,
09/12/2024 09:11 AM
Password Policy Mismatch: Ensure that the password policy configured in Saviynt matches exactly with the Active Directory password policy. The RESETANDCHANGEPASSWRDJSON payload you’ve provided (pwdLastSet: "-1") should reset the password, but if there are mismatches between Saviynt and AD policies, it can lead to issues.
Password Complexity Requirements: Even though you have configured a password policy in Saviynt, the complexity requirements must be adhered to as per AD’s policy. If the generated password does not meet AD’s complexity requirements, the operation will fail.
Port and Encryption Issues: Operating over port 636 indicates you're using LDAPS (LDAP over SSL). Ensure that the SSL/TLS certificates are valid and properly configured. Any issues with SSL/TLS could intermittently affect operations.
AD Replication Delays: Sometimes, AD replication issues between domain controllers can cause intermittent failures. Ensure that all domain controllers are in sync and that there are no replication delays or issues.
Service Account Permissions: Verify that the service account used by Saviynt has sufficient permissions to reset and change passwords for the user accounts. Lack of permissions or intermittent network issues can cause random failures.
09/12/2024 09:18 AM
Hi, thanks for the reply.
In response
Password Policy Mismatch: The policy should match closely. If anything, The Saviynt configured policy is stricter. I note your point regarding (pwdLastSet: "-1"). There seems to be some differences on the forums regarding this value. Either -1 or 0. Both have the same behaviour, it seems.
Password Complexity Requirements: The policy should match closely. If anything, The Saviynt configured policy is stricter.
Port and Encryption Issues: The connection etc is valid and there are no known issues here.
AD Replication Delays: Understandable, however no other issues relating to Saviynt and AD have been observed. Hence why manual password changes from Sav also work as expected.
Service Account Permissions: Permissions are correct, Hence why manual password changes from Sav also work as expected.
09/12/2024 09:23 AM
Review and align the password policies between Saviynt and AD. Ensure that both systems have compatible rules for password complexity, length, expiration, etc. Document the discrepancies and adjust policies where feasible to achieve consistency.