Error on log-in after reset user's password on AD and force to change at next logon

[viniciusalbino-ipnet]

Description: When I use an Active Directory (AD) as Secondary User Store and reset user's password on AD and flag this user with "User must change password at next logon" the user can't log-in on a Service Provider configured on WSO2IS. If I reset the user's password on AD without flag the user, everything works fine.

When the user is flagged to change your password on next logon, I am getting this error message:

[2020-02-14 18:56:22,756] WARN {AUDIT_LOG}- Initiator=wso2.system.user Action=Authentication Target=DOMAIN.LOCAL/user.name Data=null Outcome=Failure Error={"Error Message":"Un-expected error while authenticating","Error Code":"31001"}

This error occurs on Service Provider authentication and /dashboard

Affected Product Version: 5.8.1

OS, DB, other environment details and versions: CentOS Linux 7, MySQL

Steps to reproduce:

• Create a tenant;
• Configure Secondary UserStore with Active Directory Read/Write Connector connecting with LDAPS protocol and user with Domain admin privileges;
• Configure a Service Provider with SAML 2.0 protocol;
• Reset user's password on Active Directory and check the checkbox for "User must change password at next logon";
• Try to log-in on /dashboard
• User can't be logged-in

[CSTDev]

@viniciusalbino-ipnet Did you get anywhere with this?

[viniciusalbino-ipnet]

@CSTDev

@viniciusalbino-ipnet Did you get anywhere with this?

Unfortunately no. Now, I have the same issue when the password is expired.

[tahir-khalid]

Did you get a resolution for this? I have the same issue as soon as I enable 'User must change password at next log on' radio button in Windows Active Directory User Admin WSO2 doesn't seem to know what to do looking at the audit logs attempts to login but then fails however ideally we would expect a dialog of some kind asking for a new password.

[CSTDev]

I ended up writing a custom UserStoreManager, extending an existing class, I think the ActiveDirectoryUserStoreManager. Deployed that into WSO2, that then redirected to a page in the web app we'd written which did the active directory updates, handling the user password change. I'm afraid I don't have access to the code anymore so can't point you at it in more detail.

[oleksiybozhyk]

I ended up writing a custom UserStoreManager, extending an existing class, I think the ActiveDirectoryUserStoreManager. Deployed that into WSO2, that then redirected to a page in the web app we'd written which did the active directory updates, handling the user password change. I'm afraid I don't have access to the code anymore so can't point you at it in more detail.

Hello, it would be really interesting on how you solve this issue did you have some snippets?