Error: -1437 when changing a users password or when authenticating

  • 7001738
  • 27-Oct-2008
  • 13-Feb-2017

Environment

Novell eDirectory 8.8 SP2
Novell International Cryptographic Infrastructure (NICI) 2.7
Novell Modular Authentication Service (NMAS) version 3.2.0

Situation

Different NMAS errors when authenticating or attempting to change a password:


ERROR: -1437 FFFFFA63 NICI E OBJECT HANDLE INVALID
ERROR: -1418 GetXKeyFromValues: CCS_UnwrapKey
ERROR: -1658 Universal Password not support for user.container


Resolution

-If the SDI Tree keys are not synchronized on the tree. Use SDIDIAG to check to check the health of the tree keys. Use KB 3455150.

-If tree keys are synchronized, upgrade NMAS on each server to the latest version.

The Universal Password is stored locally on each user object using NICI. If the NICI keys in the server are not correct or inconsistent across servers, then information encrypted with one server may not be able to be decrypted by another. It is for this reason that it's imperative that the NICI infrastructure is working properly in the environment.
There is another condition in which the keys are consistent and healthy and yet these sorts of errors still appear. The NICI keys are cached by the NMAS server for its usage. In older versions of NMAS sometimes it happens that this cached copy of the NICI keys can get corrupt and lead to the passwords not being properly decrypted. As a result of that, the password gets overwritten with a new copy, which sometimes might differ from the existing one. This issue has been address with NMAS version 3.3.1.