Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Reset Security Questions not working, password always incorrect

AvuartePacheco
New Contributor II
New Contributor II
Hello,
 
We are having an issue when trying to reset the security questions.
 
We have enabled that option in the Global Configurations screen and it shows in the top right menu. When we select it, we are shown the step 1 of the process which asks for the user's password but it always displays a "Password Incorrect" error, even when the user's correct password is inputed.
 
When trying to troubleshoot this issue, we have noticed that this only happens when we have the LDAP Authentication enabled. When working only with Saviynt's local database users, the reset security questions works as intended and validates the password correctly for those local users. However, we do not know how to solve it so it can also work with LDAP Authentication enabled which has never been possible. The logs only show the following 2 lines:
 
AvuartePacheco_1-1670927943666.png
 
Below are the steps to replicate this issue.
 
1) Go to the top right corner profile options and select "Reset Security Questions"
AvuartePacheco_2-1670928182883.png

2) Step 1 of the reset process requires the credentials to be entered

AvuartePacheco_3-1670928272834.png

3) When entering the correct credentials, they are always perceived as not valid

 

AvuartePacheco_6-1670928363116.png

Again, this only happens with LDAP Authentication enabled. How can we solve this issue?

6 REPLIES 6

Manikanta_S
Saviynt Employee
Saviynt Employee

Hello @AvuartePacheco ,

If  I understand this correct it works when Local auth (Saviynt auth)  is enabled & does not work when LDAP authentication is enabled ?

Thanks & Kind Regards,
Manikanta.S

Exactly. If we are only using local users, it works fine. However, if we enable LDAP authentication by changing the AuthenticationConfig.groovy file, the reset security questions stops working with the behaviour described in the first post.

rushikeshvartak
All-Star
All-Star

Does LDAP Connector is setup  Done in configuration 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Not sure if I understood the question. We are using the Active Directory connector to import and provision accounts. We are also connecting to the same Active Directory for the LDAP Authentication configurations in the AuthenticationConfig.groovy file. Below you can find the configuration (with sensitive information redacted):

/* LDAP */
grails.plugin.springsecurity.ldap.active=true
grails.plugin.springsecurity.ldap.context.managerDn = '***'
grails.plugin.springsecurity.ldap.context.managerPassword = '***'
grails.plugin.springsecurity.ldap.context.server = 'ldaps://***.***.***.***:636' // if port 636 then ldaps
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory
grails.plugin.springsecurity.ldap.search.base = '***'
grails.plugin.springsecurity.ldap.search.filter= "sAMAccountname={0}" // for Active Directory you need this
grails.plugin.springsecurity.ldap.search.searchSubtree = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false
//grails.plugin.springsecurity.ldap.search.attributesToReturn = ['mail','displayName']
//grails.plugin.springsecurity.providerNames = ['ldapAuthProvider' , 'daoAuthenticationProvider' , 'anonymousAuthenticationProvider', 'rememberMeAuthenticationProvider'] // specify this when you want to skip attempting to load from db and only use LDAP
grails.plugin.springsecurity.ldap.mapper.userDetailsClass = 'com.saviynt.ecm.identitywarehouse.domain.Users'
//grails.plugin.springsecurity.userLookup.usernamePropertyName = 'systemUserName'
grails.plugin.springsecurity.ldap.useRememberMe = false
//grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'OU=US'
//grails.plugin.springsecurity.ldap.authorities.retrieveGroupRoles = false
grails.plugin.springsecurity.ldap.authorities.retrieveDatabaseRoles = true

Hello @AvuartePacheco ,

I am not sure about the v5.5 SP 5.X  , but from v2020 onwards we have an option to set step up authentication to reset the question from the global configuration. so, you could explore other methods.

Manikanta_S_4-1671003816467.png

Thanks & Kind Regards,
Manikanta.S

Please share additional logs 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.