Error changing AD Password

Error changing AD Password

The user is trying to change their password via the portal and is getting an error that the Directory Services was unable to change the password.

The following error shows on the loader console :

DEBUG [com.stoneware.service.public.Core.changePassword]: CN=testpasschange,OU=portal,dc=xxx,dc=xxx,dc=xxx,dc=org: userAccountControl = 200
DEBUG [com.stoneware.service.public.Core.changePassword]: The minimum password age is: 0
ERROR [com.stoneware.service.public.Core.changePassword]: CN=testpasschange,OU=portal,dc=xxx,dc=xxx,dc=xxx,dc=org: user flagged ’User cannot change password’
ERROR [com.stoneware.service.public.Core.changePassword]: Unable to change password: CN=testpasschange,OU=portal,dc=xxx,dc=xxx,dc=xxx,dc=org
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F00, #1:
0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
]; remaining name ’CN=testpasschange,OU=portal,dc=xxx,dc=xxx,dc=xxx,dc=org’ 


This means that you did not conform to password requirements. Active Directory password policy is enforcing password history, minimum password length, minimum password age or password complexity, then this will raise the LDAP Error Code 19 (invalid attribute exception), with an Active Directory problem code of 1005.


Another error code that means the same thing is :

javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00000056: AtrErr: DSID-03190F00, #1:
0: 00000056: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)


Some other common LDAP errors dealing with password change problems.

Wrong Old Password while trying changePassword:
-----------------------------------------------
** While connecting with Admin Principal:
[LDAP: error code 19 - 00000056: AtrErr: DSID-03190F80, #1:
0: 00000056: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

** While connecting with the User's credentials (Standard ERROR_LOGON_FAILURE Message):
* If User must change Password:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

* If User is not obliged to change password:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1


Good credentials, new password same as old:
------------------------------------------
** While connecting with Admin Principal:
[LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F80, #1:
0: 0000052D: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

** While connecting with the User's credentials:
* If User must change Password:(Standard ERROR_PASSWORD_MUST_CHANGE Message):
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1

* If User is not obliged to change password:
[LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F80, #1:
0: 0000052D: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)


Good credentials, good new password:
--------------------------------------
** While connecting with Admin Principal:
OK - No Error

** While connecting with the User's credentials:
* If User must change Password:(Standard ERROR_PASSWORD_MUST_CHANGE Message):
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1

* If User is not obliged to change password:
OK - No Error 
    • Related Articles

    • Display password complexity in AD

      How can I display the password complexity for a windows domain that is not using Fine-Grained password features ? Click on Start, Run, GPEDIT.MSC Go to computer config-----windows settings---security setting--account policy----passwd policy This will ...
    • User password expiration / lockouts in Microsoft Active Directory

      How can I show accounts that are locked out in AD ? http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx Can I dump password expiration for users in AD ? AdFind.exe to dump the password expiration. Stoneware download / Utilities has this ...
    • LDAP Error Codes

      AcceptSecurityContext error, data 52e means "bad password" AcceptSecurityContext error, data 525 means "bad user name" AcceptSecurityContext error, data 773 means "password expiring" or similar.  Standard error codes Standard LDAP errors Error / data ...
    • Change Password Reset URL

      Issue Customer would like to use their own password changing application instead of the one built into Unified Workspace. Solution To point the Reset Password link to a specific URL: Open webAdmin Dashboard. Expand Customization Center. Expand ...
    • Error authenticating during webNetwork startup.

      The customer gets an error when starting UW: INFO [com.stoneware.service.DirectoryManager]: We are creating an AD connection. FATAL [com.stoneware.service.DirectoryManager]: Unable to verify/extend schema. javax.naming.AuthenticationException: [LDAP: ...
    • Popular Articles

    • Old Browser Versions

      Question: I am using an older browser version and am having problems. What can be done ? We are not able to upgrade the browser at this time.   This is a challenge for any company that makes software that utilizes a browser. Since Stoneware does not ...
    • LCS Redirection

      Problem: How to redirect the LCS in an environment with multiple LCSs and students connecting to them. Solution(s): Create an allow.cfg on all LCS(s) (including the Master) in the network, however, even if no allow.cfg is present on an LCS, machines ...
    • Time windows allows for Service Shutdown

      Issue: Can the time windows gives a service to shut down before it kills the service be increased? Solution: Yes, the following information comes from the Microsoft URL : http://support.microsoft.com/kb/146092 To specify the wait time, do the ...
    • How to disable password saving - Internet Explorer

      Having multiple methods for saving a password in the browser can cause confusion for the user.   To disable password saving in Internet Explorer, launch Internet Explorer and perform the following steps. Click the blue Settings menu icon in the upper ...
    • How to disable password saving - Chrome

      Having multiple methods for saving a password in the browser can cause confusion for the user.  To disable password saving in Chrome, launch Chrome and perform the following steps. Click the Chrome menu button in the upper right corner of the Chrome ...
    • Recent Articles

    • SAML Service Provider

      Issue How can I use a 3rd Party service (such as ADFS, Office365, or OneLogin) to SSO into UW? Solution The SAML Service Provider (SP) features allows another Identity Provider (IDP) to single sign-on into Unified Workspace using SAML for a seamless ...
    • Lenovo Unified Workspace 7.0.0.63 Released

      Highlights of Unified Workspace 7.0.0.63 Before you install: Please view the installation notes here. 7.0.0.63 Requires new 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.0.63 New Profile Style New Login ...
    • How to fix customized login and profile after upgrading to v7.0

      With the release of 7.0 the default login page has been modified to simplify the customization process.  If you are having an issue with the login page not displaying, after upgrading to v7.0, you will need to delete the custom CSS code and start ...
    • SAML SP - Sync Directory Password

      Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable.  If you would like to use the Active Directory password for other ...
    • MySQL 8 SSL

      Issue Admin is making a database connection to a MySQL 8 database.  When clicking the Ping button on the DB Connection object, the following error is presented: WARN: Establishing SSL connection without server's identity verification is not ...