Solved: Password Related Query

gaddam_vinaykumar · ‎11-26-2013

Hello,

Currently we are facing the following issue.

Users are coming through the SAP Portal( 7.01 ), for which UME is the R/3 system( ECC 6 ).

Some of them are getting," Password has expired. " as per login/password_expiration_time=30 days. Till this point everything is correct.

However when they try to change the password; they get," You are not allowed to change the password. ".

The most surprising thing is..... after getting the above message they are able to log in with the old password.

Can you please help me to find out the root cause?

Thanks & Regards,

Vinay

Former Member · ‎11-27-2013

Hi Vinay

can you please check the below parameter is set to 1

"login/password_compliance_to_current_policy"

Default: 0

Permissible values:

0: No Check
1: During the password check, the system checks whether the current password fulfills the current password rules. If this is not the case, it forces a password change.

For more refer: http://help.sap.com/saphelp_nw73/helpdata/en/4a/c3f18f8c352470e10000000a42189c/content.htm

Cheers

Pavan M

.

Former Member · ‎11-27-2013

Hi Vinay

can you please check the below parameter is set to 1

"login/password_compliance_to_current_policy"

Default: 0

Permissible values:

0: No Check
1: During the password check, the system checks whether the current password fulfills the current password rules. If this is not the case, it forces a password change.

For more refer: http://help.sap.com/saphelp_nw73/helpdata/en/4a/c3f18f8c352470e10000000a42189c/content.htm

Cheers

Pavan M

.

gaddam_vinaykumar · ‎11-27-2013

Hi Pavan,

The value of the parameter is 0.

If we go by this; then the message," Password has expired. " is not expected.

Thanks & Regards,

Vinay

gaddam_vinaykumar · ‎11-27-2013

Hi Pavan,

I accept, the ultimate behavior( allowing the old password ) is as per the parameter.

However not getting the cause for those two messages.

One more observation, when the user tried to go through SAP GUI..... it didn't get," Password has expired. ". This is as per the expectation.

Thanks & Regards,

Vinay

Former Member · ‎11-27-2013

HI Vinay,

please make sure the parameters in the portal match the parameters in the backend. If the users only get this message when accessing via the portal, the reason could be a misconfig of the UME on the portal.

Regards,

Patrick

Former Member · ‎11-27-2013

Hi Vinay

If parameter login/password_expiration_time is set to 30 days as mentioned above in the discussion

if you have set the parameter recently and if dynamically switchable is checked, it should work

If is not dynamically switched , system restart needs to done for the parameters to get affected.

Please let me know if am confusing you

gaddam_vinaykumar · ‎11-27-2013

Hi Patrick,

In this case UME is the R/3 system( ECC 6 ).

So can you please confirm; whether the comparison between the parameters( suggested by you ) is required, or not?

Thanks & Regards,

Vinay

gaddam_vinaykumar · ‎11-27-2013

Hi Pavan,

Both the options( Dynamically Switchable & Same on All Servers ) have been selected.

Thanks & Regards,

Vinay

gaddam_vinaykumar · ‎11-27-2013

Hi Pavan,

Sorry, that is the setting for login/password_compliance_to_current_policy.

For login/password_expiration_time, none of the two options has been selected.

And it hasn't been changed recently.

Thanks & Regards,

Vinay

Former Member · ‎11-27-2013

Hi Vinay

I am refering to the point where you said .. "user tried to go through SAP GUI..... it didn't get," Password has expired"

Please check the chnage documents when was the last tym user changed password.

If this is more than the no of days you have set in the parameter "login/password_expiration_time"

Then I would recommend a system restart for the changes to take place

Cheers

Pavan

gaddam_vinaykumar · ‎11-27-2013

Hi Pavan,

Yes, >30 days ago the user had reset the password.

However I think; because of login/password_compliance_to_current_policy=0 the message" Password has expired. " got suppressed.

Thanks & Regards,

Vinay

Former Member · ‎11-27-2013

Hi Vinay

I just saw Parameter "login/password_compliance_to_current_policy" applies to only password rules not for password changes..

Below are the password rule parameters

login/min_password_lng

login/min_password_digits

login/min_password_letters

login/min_password_lowercase

login/min_password_uppercase

login/min_password_specials

login/password_charset

Can you please go through the below link...

http://help.sap.com/saphelp_nw73/helpdata/en/4a/c3f18f8c352470e10000000a42189c/content.htm

Former Member · ‎11-27-2013

Hi Vinay,

if you are using the profile parameters to set the password policy, the parameter login/password_compliance_to_current_policy will not affect the behaviour for expired passwords, only for password complexity (for example if you change the parameters to require 2 numbers but the old password contains only 1 number, the system will behave differently at the time the user authenticates, based on the actual parameter value). Either the profile parameters have been changed but not yet activated in the system, in this case, please check what the active parameter value is (for instance with RZ11). Or the users password has been changed within the last 30 days to be able to authenticate without getting a password expired message.

Regards,

Patrick

Former Member · ‎11-27-2013

Hi Vinay,

UME can not be R/3 system, this is only the persistence layer for the UME. UME is the Java user management and you can configure it to use abap to authenticate users. However it is still a complete user management engine. In the past it had been feasible to configure more restrictive settings in the UME which were used by the password checks of the corresponding JAAS plugin. Based on the behaviour you described (authentication tells the user to change password via EP but not SAP-GUI), this may be a reason, however this des not really explain the behaviour with regards to the password change itself. Maybe you have also set a minimum time between password changes? However as I'm no longer very familiar with the Portal, this is just a guess.

Regards,

Patrick

gaddam_vinaykumar · ‎11-27-2013

Hi Pavan,

Got your point.

Thanks & Regards,

Vinay

gaddam_vinaykumar · ‎11-27-2013

Hi Patrick,

Active parameter value is

login/password_expiration_time=30 &

login/password_compliance_to_current_policy=0

The user being considered here had changed the password >30 days ago.

Thanks & Regards,

Vinay

Former Member · ‎11-28-2013

Hi Vinay,

please check the logon data fo the user in question (SU01 -> logon data tab). What is the user type and is there a security policy defined? If user type is dialog and there is no security policy defined, there is something wrong with the system, if the user is able to login via username/password with an expired password without being required to change his password.

Regards,

Patrick

gaddam_vinaykumar · ‎11-29-2013

Hi Patrick,

Sorry, couldn't get back to you yesterday.

The user is a dialog user.

Regarding the security policy..... I didn't get, which things you are referring to.

Thanks & Regards,

Vinay

Former Member · ‎11-29-2013

Hi Vinay,

in SAP ABAP systems with Basis 7.31 (7.03) and later, there is the ability to assing security policies to users which are not based on the profile parameters. There profile parameters are only the default. In such systems it may be that the profile tells expire=30 but the profile assinged to the user might tell something different.

BTW: could you please check the value of login/password_change_waittime? it should be 1 or at least less than 30.

If your SAP basis is elder than 7.31 and the user can login in via SAPGUI with username and an expired password without being required to change his password and he is a dialog user, I would suggest you open a support ticket.

Regards,

Patrick

gaddam_vinaykumar · ‎11-29-2013

Hi Patrick,

Thanks for the 7.31 related information. I wasn't aware of the Security Policy.

I checked, we are below that.

And regarding the parameter..... it has been set to 1.

Thanks & Regards,

Sachhidanand

Former Member · ‎12-02-2013

Hi Vinay,

you mentioned that a user of type Dialog can login in via SAPGUI with username and an expired password without being required to change his password. I would therefor suggest you open a support ticket to get this one sorted out first. If this really is the case, there is something wrong with the system.

Regards,

Patrick

gaddam_vinaykumar · ‎12-12-2013

Hi Patrick,

Sorry, was discussing the issue with SAP.

Note 1826557 is the solution.

Please go through the same & feel free to contact me if you need any clarification.

Thanks for your time & the information you shared with me.

Pavan:- Thanks a lot.

Regards,

Sachhidanand

Former Member · ‎12-12-2013

Hi

Glad that you got the solution and mentioned it here

Cheers

Former Member · ‎12-12-2013

Hi Gaddam,

the solution you mentioned is not the solution to the second issue cited. This has been a fix for the issue, that a user was unable to change his password, even though it was expired (initial issue mentioned in this thread). The issue that had been pointed out to which I did refer to was the ability to log in with an expired password without even been asked for to change the password. Are you sure this was caused by the same issue or have you been unable to reproduce the issue?

regards,

Patrick

gaddam_vinaykumar · ‎12-12-2013

Hi Patrick,

Let me explain you what was happening.

When the users were trying to change their password; the faulty code was changing the Password Change Date( Usr02 ) to the current date & that too before changing the password value.

Now after looking at this new date it was assuming,

1) already the user has changed the password today & login/password_change_waittime=1

so was giving," You are not allowed to change the password. ". Frankly speaking, this is somewhat misleading message.

2) the password is valid, not expired( new Password Change Date-today's date ).

Hope, this helps.

Thanks & Regards,

Sachhidanand