Password history ignored when changing password through SSPR "forgotten password" link

  • 7012135
  • 11-Apr-2013
  • 27-Apr-2015

Environment

NetIQ Self Service Password Reset
SSPR 2.0
SSPR 2.0 HF1a
Active Directory environment
Enforce Microsoft AD password complexity set to "True"
Active Directory password policy set to enforce password history

Situation

When changing the password through the "forgotten password" link SSPR does not
prevent the user from reusing the current or a previously used password.

User can use an old password when changing the password after clicking "forgotten password" and answering the security questions.

SSPR ignores the "Enforce password history" setting in the Active Directory policy when resetting the password through "Forgotten Password."

SSPR does honor the AD "Enforce password history" setting if the "change password" option is selected directly from the SSPR main menu. 

Resolution

Upgrade to SSPR 3.2 or newer, and in the SSPR Configuration Manager enable both of the following settings under Settings --> Active Directory

- Use Proxy When Password Forgotten
- Enforce Password Policy During Forgotten Password


NOTE:

With these settings in place, the following will be observed if a user attempts to reuse a formerly used password:
-  When user types new password SSPR shows "Password meets requirements, please type confirmation password"

-  When user types password the second time to confirm new password SSPR shows "New password accepted, please click change password"

- When user clicks change password SSPR will show "New password does not meet rule requirements" as expected.
 
 This violation is not identified until after the password is submitted because AD does not have a password-policy pre-check API.  SSPR checks for the rules it can enforce itself, but things like history or time constraints need to be checked by AD, and the first opportunity to do so is when the password is actually sent to AD for a change.  This contrasts with eDirectory which has a pre-check API which is actually called during the typing process to dis-allow non-compliant  passwords.



 



Additional Information

Changing the password after clicking the "Forgotten Password" link in SSPR is considered by AD to be a password reset, as opposed to a password change.  The Windows "Enforce password history" setting applies only to password changes and not to password resets

A password reset is performed by someone who does not know the current password. Typically this would be an administrative or help desk user.  In the case of SSPR the password reset is actually made in AD by the SSPR proxy user - after the user has correctly identified herself by answering the challenge questions.

A password change, on the other hand, is performed by the end user of the account after providing the  current password.  In SSPR the user must authenticate with the current password in order to the change the password.  The change is made in AD as the logged in user himself.