Reset Security Questions not working, password always incorrect

New Contributor II
New Contributor II
We are having an issue when trying to reset the security questions.
We have enabled that option in the Global Configurations screen and it shows in the top right menu. When we select it, we are shown the step 1 of the process which asks for the user's password but it always displays a "Password Incorrect" error, even when the user's correct password is inputed.
When trying to troubleshoot this issue, we have noticed that this only happens when we have the LDAP Authentication enabled. When working only with Saviynt's local database users, the reset security questions works as intended and validates the password correctly for those local users. However, we do not know how to solve it so it can also work with LDAP Authentication enabled which has never been possible. The logs only show the following 2 lines:
Below are the steps to replicate this issue.
1) Go to the top right corner profile options and select "Reset Security Questions"

2) Step 1 of the reset process requires the credentials to be entered


3) When entering the correct credentials, they are always perceived as not valid



Again, this only happens with LDAP Authentication enabled. How can we solve this issue?


Saviynt Employee
Saviynt Employee

Hello @AvuartePacheco ,

If  I understand this correct it works when Local auth (Saviynt auth)  is enabled & does not work when LDAP authentication is enabled ?

Thanks & Kind Regards,

Exactly. If we are only using local users, it works fine. However, if we enable LDAP authentication by changing the AuthenticationConfig.groovy file, the reset security questions stops working with the behaviour described in the first post.


Does LDAP Connector is setup  Done in configuration 

Not sure if I understood the question. We are using the Active Directory connector to import and provision accounts. We are also connecting to the same Active Directory for the LDAP Authentication configurations in the AuthenticationConfig.groovy file. Below you can find the configuration (with sensitive information redacted):

/* LDAP */
grails.plugin.springsecurity.ldap.context.managerDn = '***'
grails.plugin.springsecurity.ldap.context.managerPassword = '***'
grails.plugin.springsecurity.ldap.context.server = 'ldaps://***.***.***.***:636' // if port 636 then ldaps
grails.plugin.springsecurity.ldap.authorities.ignorePartialResultException = true // typically needed for Active Directory = '***' "sAMAccountname={0}" // for Active Directory you need this = true
grails.plugin.springsecurity.ldap.auth.hideUserNotFoundExceptions = false
// = ['mail','displayName']
//grails.plugin.springsecurity.providerNames = ['ldapAuthProvider' , 'daoAuthenticationProvider' , 'anonymousAuthenticationProvider', 'rememberMeAuthenticationProvider'] // specify this when you want to skip attempting to load from db and only use LDAP
grails.plugin.springsecurity.ldap.mapper.userDetailsClass = 'com.saviynt.ecm.identitywarehouse.domain.Users'
//grails.plugin.springsecurity.userLookup.usernamePropertyName = 'systemUserName'
grails.plugin.springsecurity.ldap.useRememberMe = false
//grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'OU=US'
//grails.plugin.springsecurity.ldap.authorities.retrieveGroupRoles = false
grails.plugin.springsecurity.ldap.authorities.retrieveDatabaseRoles = true

Hello @AvuartePacheco ,

I am not sure about the v5.5 SP 5.X  , but from v2020 onwards we have an option to set step up authentication to reset the question from the global configuration. so, you could explore other methods.


Thanks & Kind Regards,

Please share additional logs