default behaviour if LOCALAUTHENABLED is not set

Regular Contributor
Regular Contributor

Can you please confirm what is the default behaviour if LOCALAUTHENABLED is not set.

We recently faced issues with our production environment where some users were not able to login. (This issue was later found out to be due to one of the UI server browser cache reached to Max) But One user, whose LOCALAUTHENABLED was null, was able to see the user credential login page and was able to reset the password and login using the new password.

And while resetting, the user was only asked new password and confirm password. 

The user got to the url https:// <base  url>/ECM/maintenance/passwordReset

I think this is a security risk.

What could have been the issue? is this the default behaviour if LOCALAUTHENABLED is null?

Thanks & Regards,
Haardik Verma

Saviynt Employee
Saviynt Employee

LOCALAUTHENABLED is only used to allow users to login locally to EIC/SSM Portal login page using the local password.

Please raise a separate support ticket for LOCALAUTHENABLED as NULL causing the security issue and asking only new password and confirm password.