CA Identity Manager's password sync agent failing to allow password changes even with no password policies in place

Document ID : KB000008289
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

For CA Identity Manager's password synchronization you can choose to either manage the password quality on your endpoint, on Identity Manager or both. If it is on both then CA Identity Manager's password policy should be the same or weaker than Active Directory. 

 

For this use case, you are not managing your passwords through Provisioning Manager - only through your Active Directory endpoint. However, the passwords are being rejected for quality even though they meet the password requirements for your Active Directory. 

 

Additionally, if you look into your password profile settings on the password sync agent machine, the attribute Profile_Enabled is set to yes, even though you are not using a password profile in Provisioning Manager.

 

In Provisioning Manager your password profile is blank and disabled, it should look like this: 

2017-09-29 18_10_52-domain_policy.png (1008×982).jpg

Cause:

When the Profile_enabled attribute is set to yes in your configuration file, this will override your disabled password policy in Provisioning Manager. Therefore, when you try to change your password in Active Directory it will check your password policy in Provisioning Manager to ensure it meets the quality standards. However, if you're not using the password policy all of these values are set to zero and unusable - so the password automatically gets rejected. 

Resolution:

If you do not intend to use the password policy that you have in Provisioning Manager, the profile_enabled setting should be set to no. It is recommended for Identity Manager to use the password policies located in the IM Web UI, as they're more robust. So, ideally you'll always want to set profile_enabled to no.