pwm error during page generation: 5026 ERROR_BAD_SESSION_PASSWORD

[GoogleCodeExporter]

What steps will reproduce the problem?
When a user tries to activate their account they get this error message after 
entering the sms token.

What is the expected output? What do you see instead?
After entering the sms token, the user should be forwarded to accepting the IT 
rules and set password and thus activate their account.

What version of PWM are you using?
PWM 1.7.1

What ldap directory and version are you using?
eDir 8.8.8 hotfix 1
Tomcat7 and Apache 2.2

We are in a bit of trouble because of this error. As stated, we are using PWM 
1.7.1 and it is working fine most of the times. 8 out 10 students are 
successfully activating their accounts (Check the log file for one of the user 
with successful activation) but some users get the above error message (log 
file attached)

If there is something wrong then why is it not for all the students?
We have compared the accounts with success and failure messages and there is no 
difference whatsoever. The same admin (PWMAdmin) account is being used as proxy 
user. 

We would be thankful if you can give us any idea about this problem. Thanks

Please paste any error log messages below:
Please have a look of the attached log files. One is for successful activation 
and the other is the error message log.

Original issue reported on code.google.com by haqa...@gmail.com on 14 Jul 2014 at 10:24

Attachments:

• [Unable to activate.txt](https://storage.googleapis.com/google-code-attachments/pwm/issue-588/comment-0/Unable to activate.txt)
• [Successful activation.txt](https://storage.googleapis.com/google-code-attachments/pwm/issue-588/comment-0/Successful activation.txt)

[GoogleCodeExporter]

Any differences in password policy, or does the password policy set 
restrictions like a minimum password age or maximum amount of changes?

Original comment by menno.pi...@gmail.com on 14 Jul 2014 at 10:32

• Changed state: NeedInfo

[GoogleCodeExporter]

No, the same password policy is being used for all the student accounts. We 
have increased the password expiry time to one year now (It was 3 months 
initially) and there are no restriction on the maximum number of changes.

Original comment by haqa...@gmail.com on 14 Jul 2014 at 10:35

[GoogleCodeExporter]

What about the MINIMUM password age?

Original comment by menno.pi...@gmail.com on 14 Jul 2014 at 10:40

[GoogleCodeExporter]

I am really sorry, I failed to find out the minimum password age. Attached is a 
screen shot of the password policy that we are using.
Can I see the minimum password age in some other place? (Sorry again)

Original comment by haqa...@gmail.com on 14 Jul 2014 at 10:49

Attachments:

• Capture.PNG

[GoogleCodeExporter]

Could you check your NDS logs, if any? You may need to increase the NDS log 
level, since by default NDS is not very verbose...

Original comment by menno.pi...@gmail.com on 14 Jul 2014 at 11:13

[GoogleCodeExporter]

I didn't get time to work with this issue yesterday. Please have a look of the 
ndstrace below for one of the users.
If it doesn't say much then I can increase the log level and attach another 
copy.
Thanks

Original comment by haqa...@gmail.com on 15 Jul 2014 at 8:23

Attachments:

• [NDS log.txt](https://storage.googleapis.com/google-code-attachments/pwm/issue-588/comment-6/NDS log.txt)

[GoogleCodeExporter]

I see nothing "alarming",....

Original comment by menno.pi...@gmail.com on 15 Jul 2014 at 9:07

[GoogleCodeExporter]

I found something (that I should have seen long ago) that is even more 
confusing.
In our password policy, we are using Microsoft complexity policy rules, which 
requires 3 out of 5 categories,
1. Upper Case,
2. Lower Case,
3. 0-9
4. Nonalphanumeric characters
5. Any Unicode character..........

In PWM configuration, I have set LDAP as the Password policy source and all the 
other settings for PWM's own password policy are turned off (setting them to 0).

BUT at the last page of activation when the user is setting a password, PWM 
doesn't show the correct password policy and when I try to generate a random 
password, I can see that most of the generated passwords are not according to 
the password policy and are not correct.
When I select any of those "incorrect" passwords, PWM gives me the message that 
your password doesn't have enough upper/lower case letters. 

Can anyone please please help me with this? 

Original comment by haqa...@gmail.com on 16 Jul 2014 at 11:13

[GoogleCodeExporter]

I guess we'll have to check whether the password policy is applied correctly in 
all situations.

In the meantime, may I suggest as a workaround to try and synchronize the 
policies and use the local policy (PMW) instead of AD policy?

Original comment by menno.pi...@gmail.com on 16 Jul 2014 at 2:17

• Changed state: Accepted

[GoogleCodeExporter]

The problem is that we are supposed to use Microsoft complexity policy in AD 
and I can't set those rules in PWM. I don't think I can set PWM to ask for any 
3 conditions of the given 5 or can I?

Original comment by haqa...@gmail.com on 16 Jul 2014 at 9:37

[GoogleCodeExporter]

I would like to add a bit more information.

We are getting the same problem when someone tries to use "Forgotten Password". 
The error message is the same as in the above log files.

ERROR, password.pwm.AuthenticationFilter, unable to authenticate user with 
temporary or retrieved password, check proxy rights, ldap logs, and ensure 
ldap.namingAttribute setting is correct
WARN , password.pwm.servlet.ForgottenPasswordServlet, unexpected error 
authenticating during forgotten password recovery process user: 5026 
ERROR_BAD_SESSION_PASSWORD (unable to authenticate user with temporary or 
retrieved password, check proxy rights, ldap logs, and ensure 
ldap.namingAttribute setting is correct) 

The difference between the "Activation process" (The one I registered the case 
for) and "Forgotten password" is that during the Forgotten password process, on 
the final page, the correct password policy has been displayed. 

Can there be a problem with the session password that is being used by the user 
(assigned by the admin account) during Forgotten password process?
May be the temporary password assigned by the Admin account is not fulfilling 
the criteria???

I would be thankful if you can give me something to look into.

Original comment by haqa...@gmail.com on 6 Aug 2014 at 11:43

[GoogleCodeExporter]

Was there a resolution to this or is this being looked at. We are experiencing 
the same issue since upgrade to eDir 8.8.8 hotfix 1.

Original comment by petegro...@gmail.com on 15 Sep 2014 at 9:51