11-26-2013 3:28 PM
Hello,
Currently we are facing the following issue.
Users are coming through the SAP Portal( 7.01 ), for which UME is the R/3 system( ECC 6 ).
Some of them are getting," Password has expired. " as per login/password_expiration_time=30 days. Till this point everything is correct.
However when they try to change the password; they get," You are not allowed to change the password. ".
The most surprising thing is..... after getting the above message they are able to log in with the old password.
Can you please help me to find out the root cause?
Thanks & Regards,
Vinay
11-27-2013 11:02 AM
Hi Vinay
can you please check the below parameter is set to 1
"login/password_compliance_to_current_policy"
Default: 0
Permissible values:
For more refer: http://help.sap.com/saphelp_nw73/helpdata/en/4a/c3f18f8c352470e10000000a42189c/content.htm
Cheers
Pavan M
.
11-27-2013 11:02 AM
Hi Vinay
can you please check the below parameter is set to 1
"login/password_compliance_to_current_policy"
Default: 0
Permissible values:
For more refer: http://help.sap.com/saphelp_nw73/helpdata/en/4a/c3f18f8c352470e10000000a42189c/content.htm
Cheers
Pavan M
.
11-27-2013 11:59 AM
Hi Pavan,
The value of the parameter is 0.
If we go by this; then the message," Password has expired. " is not expected.
Thanks & Regards,
Vinay
11-27-2013 12:06 PM
Hi Pavan,
I accept, the ultimate behavior( allowing the old password ) is as per the parameter.
However not getting the cause for those two messages.
One more observation, when the user tried to go through SAP GUI..... it didn't get," Password has expired. ". This is as per the expectation.
Thanks & Regards,
Vinay
11-27-2013 12:54 PM
HI Vinay,
please make sure the parameters in the portal match the parameters in the backend. If the users only get this message when accessing via the portal, the reason could be a misconfig of the UME on the portal.
Regards,
Patrick
11-27-2013 1:09 PM
Hi Vinay
If parameter login/password_expiration_time is set to 30 days as mentioned above in the discussion
if you have set the parameter recently and if dynamically switchable is checked, it should work
If is not dynamically switched , system restart needs to done for the parameters to get affected.
Please let me know if am confusing you
11-27-2013 1:10 PM
Hi Patrick,
In this case UME is the R/3 system( ECC 6 ).
So can you please confirm; whether the comparison between the parameters( suggested by you ) is required, or not?
Thanks & Regards,
Vinay
11-27-2013 1:12 PM
Hi Pavan,
Both the options( Dynamically Switchable & Same on All Servers ) have been selected.
Thanks & Regards,
Vinay
11-27-2013 1:19 PM
Hi Pavan,
Sorry, that is the setting for login/password_compliance_to_current_policy.
For login/password_expiration_time, none of the two options has been selected.
And it hasn't been changed recently.
Thanks & Regards,
Vinay
11-27-2013 1:33 PM
Hi Vinay
I am refering to the point where you said .. "user tried to go through SAP GUI..... it didn't get," Password has expired"
Please check the chnage documents when was the last tym user changed password.
If this is more than the no of days you have set in the parameter "login/password_expiration_time"
Then I would recommend a system restart for the changes to take place
Cheers
Pavan
11-27-2013 1:51 PM
Hi Pavan,
Yes, >30 days ago the user had reset the password.
However I think; because of login/password_compliance_to_current_policy=0 the message" Password has expired. " got suppressed.
Thanks & Regards,
Vinay
11-27-2013 2:21 PM
Hi Vinay
I just saw Parameter "login/password_compliance_to_current_policy" applies to only password rules not for password changes..
Below are the password rule parameters
login/min_password_lng |
login/min_password_digits |
login/min_password_letters |
login/min_password_lowercase |
login/min_password_uppercase |
login/min_password_specials |
login/password_charset |
Can you please go through the below link...
http://help.sap.com/saphelp_nw73/helpdata/en/4a/c3f18f8c352470e10000000a42189c/content.htm
11-27-2013 2:40 PM
Hi Vinay,
if you are using the profile parameters to set the password policy, the parameter login/password_compliance_to_current_policy will not affect the behaviour for expired passwords, only for password complexity (for example if you change the parameters to require 2 numbers but the old password contains only 1 number, the system will behave differently at the time the user authenticates, based on the actual parameter value). Either the profile parameters have been changed but not yet activated in the system, in this case, please check what the active parameter value is (for instance with RZ11). Or the users password has been changed within the last 30 days to be able to authenticate without getting a password expired message.
Regards,
Patrick
11-27-2013 2:46 PM
Hi Vinay,
UME can not be R/3 system, this is only the persistence layer for the UME. UME is the Java user management and you can configure it to use abap to authenticate users. However it is still a complete user management engine. In the past it had been feasible to configure more restrictive settings in the UME which were used by the password checks of the corresponding JAAS plugin. Based on the behaviour you described (authentication tells the user to change password via EP but not SAP-GUI), this may be a reason, however this des not really explain the behaviour with regards to the password change itself. Maybe you have also set a minimum time between password changes? However as I'm no longer very familiar with the Portal, this is just a guess.
Regards,
Patrick
11-27-2013 4:14 PM
11-27-2013 4:20 PM
Hi Patrick,
Active parameter value is
login/password_expiration_time=30 &
login/password_compliance_to_current_policy=0
The user being considered here had changed the password >30 days ago.
Thanks & Regards,
Vinay
11-28-2013 6:35 AM
Hi Vinay,
please check the logon data fo the user in question (SU01 -> logon data tab). What is the user type and is there a security policy defined? If user type is dialog and there is no security policy defined, there is something wrong with the system, if the user is able to login via username/password with an expired password without being required to change his password.
Regards,
Patrick
11-29-2013 9:37 AM
Hi Patrick,
Sorry, couldn't get back to you yesterday.
The user is a dialog user.
Regarding the security policy..... I didn't get, which things you are referring to.
Thanks & Regards,
Vinay
11-29-2013 10:11 AM
Hi Vinay,
in SAP ABAP systems with Basis 7.31 (7.03) and later, there is the ability to assing security policies to users which are not based on the profile parameters. There profile parameters are only the default. In such systems it may be that the profile tells expire=30 but the profile assinged to the user might tell something different.
BTW: could you please check the value of login/password_change_waittime? it should be 1 or at least less than 30.
If your SAP basis is elder than 7.31 and the user can login in via SAPGUI with username and an expired password without being required to change his password and he is a dialog user, I would suggest you open a support ticket.
Regards,
Patrick
11-29-2013 10:56 AM
Hi Patrick,
Thanks for the 7.31 related information. I wasn't aware of the Security Policy.
I checked, we are below that.
And regarding the parameter..... it has been set to 1.
Thanks & Regards,
Sachhidanand
12-02-2013 2:11 PM
Hi Vinay,
you mentioned that a user of type Dialog can login in via SAPGUI with username and an expired password without being required to change his password. I would therefor suggest you open a support ticket to get this one sorted out first. If this really is the case, there is something wrong with the system.
Regards,
Patrick
12-12-2013 10:27 AM
Hi Patrick,
Sorry, was discussing the issue with SAP.
Note 1826557 is the solution.
Please go through the same & feel free to contact me if you need any clarification.
Thanks for your time & the information you shared with me.
Pavan:- Thanks a lot.
Regards,
Sachhidanand
12-12-2013 10:46 AM
12-12-2013 3:13 PM
Hi Gaddam,
the solution you mentioned is not the solution to the second issue cited. This has been a fix for the issue, that a user was unable to change his password, even though it was expired (initial issue mentioned in this thread). The issue that had been pointed out to which I did refer to was the ability to log in with an expired password without even been asked for to change the password. Are you sure this was caused by the same issue or have you been unable to reproduce the issue?
regards,
Patrick
12-12-2013 3:44 PM
Hi Patrick,
Let me explain you what was happening.
When the users were trying to change their password; the faulty code was changing the Password Change Date( Usr02 ) to the current date & that too before changing the password value.
Now after looking at this new date it was assuming,
1) already the user has changed the password today & login/password_change_waittime=1
so was giving," You are not allowed to change the password. ". Frankly speaking, this is somewhat misleading message.
2) the password is valid, not expired( new Password Change Date-today's date ).
Hope, this helps.
Thanks & Regards,
Sachhidanand