How to Reset PSA Admin Users Password using SSOencconf.exe

Document ID : KB000050577
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The Technical document shows how to reset the PSA_PS_ServerName users encrypted password that is randomly generated when installing the PSA on a Domain Controller. This command will help you reset the password to your desire or anyway you won't have to reinstall the PSA in case of appearing authentication issues.

Solution:

Back Ground on PSA:

When the PSA is installed on the Domain Controller an internal user named PSA_PS_ServerName is created in the SSO Server to which the PSA then sends password change information. The PSA_PS_ServerName account is used by the PSA to authenticate against this SSO Server. The installer generates a password for this User and stores it in the Domain Controller registry.

For some reason it may become necessary to change the password of the PSA_PS_ServerName account. This has to be done on the Domain Controller the PSA is installed on and on the SSO Servers the PSA sends password change information to. Note to put the very same password in both places to keep them in sync.

Error Situation:

You may see this error in the PSA logs (WinPSAFilter.log) as follows in Image 1.

Error: Admin authentication failed, error: rc = 256 (ETWAC_API_FAIL)

Image 1

Figure 1

Since we don't know the password that was generated we need to set the password on both ends to be the same (DC and Policy Server).

To set the password on the Domain Controller (DC) do the following:

  1. Go to the command prompt and navigate to the C:\Program Files\CA\eTrust SSO\PSA\Bin
  2. Run the following command: ssoencconf.exe -r HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustSSO\PSA\PolicyServer -d "Password1" -v AdminPassword

    -d = the value you like to encrypt in this case it was Password1
    -v = the registry value you like the key to be inserted in, See Image 2 for AdminPassword Key in the registry

    Image 2

    Figure 2

    Note: You can see in the Image bellow (Image 3) that Registry Location is the same as above, it show the User name that is created on the Policy server (in this case it is PSA_PS_ADServer) and the encrypted password it has.

    Image 3

    Figure 3

    Now we logon to the SSO Server with the SSO Policy Manager to change the password for the PSA_PS_ServerName user.

    In the Policy Manager -> Users -> Administrative DataStores -> ps-farm (if this is a standalone server, it may say the ServerName instead of ps-farm)

    1. Click on ps-farm and search for the PSA_PS_ServerName user and Right Click -> Change password -> EAC
    2. A window will open up to put in the new password twice -> OK it and restart the SSO Server service.

      Figure 4

      • The Domain Controller must be rebooted for changes to take effect. This is because the PSA is a password filter that hooks into the machine's LSA process which cannot merely just be restarted. It reads the registry information at boot time.
      • Once you have made the above changes verify the PSA is working as exected. Go back to the DC and reset the password for any user. The WinPSAFilter.log should indicate a success message like in Image 5.

Image 5.

Figure 5