Environment
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW
eDirectory 8.8.7
NMAS
Domain Services for Windows
DSfW
eDirectory 8.8.7
NMAS
Situation
With intruder detection enabled, create a user in MMC and makes sure the "User must change password at next logon" is checked.
Then the user logs in with an incorrect password and receives the following error:
"The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in the passwords must be typed using the correct case."
The new user continues to login with an invalid password until the account is locked.
The same error "The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in the passwords must betyped using the correct case." is returned until the correct password is entered. The error in AD reports that the account is locked.
In DSfW, if the user logins in with the correct password and receives this error:
"Your password has expired and must be changed."
And is prompted to enter in a new password. This screen is not seen in AD.
It looks like the password is set, but then this error is returned once the new password is set:
"The User name or old password is incorrect. Letters in the password must be typed using the correct case."
Then the user logs in with an incorrect password and receives the following error:
"The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in the passwords must be typed using the correct case."
The new user continues to login with an invalid password until the account is locked.
The same error "The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in the passwords must betyped using the correct case." is returned until the correct password is entered. The error in AD reports that the account is locked.
In DSfW, if the user logins in with the correct password and receives this error:
"Your password has expired and must be changed."
And is prompted to enter in a new password. This screen is not seen in AD.
It looks like the password is set, but then this error is returned once the new password is set:
"The User name or old password is incorrect. Letters in the password must be typed using the correct case."
Resolution
Apply the November 2013 Maintenance Patch
Cause
While creating user in MMC, If user set 'Change password on next logon' option and then intruder tried 3 invalid password attempts, then user account should be locked and lockout message should be displayed for invalid login. Instead of that, It is prompted to change the password and throws an error at the end. This is happened because the change password condition validated before validating local policy.