Environment
Self Service Password Reset
SSPR 3.x
SSPR 3.x
Situation
4006 error when SSPR attempts to change the AD password
SSPR error log shows: 4006 PASSWORD_BADPASSWORD (error setting password for user ... )
Log shows additional errors:
- LDAP error code 19 LDAP_CONSTRAINT_VIOLATION
- and from AD: 0: 0000052D: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Log shows additional errors:
- LDAP error code 19 LDAP_CONSTRAINT_VIOLATION
- and from AD: 0: 0000052D: DSID-03190F80, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Resolution
Use a password that complies with AD password policies.
Make sure the new password is acceptable by attempting to change the password outside of SSPR, for example, through an LDAP browser.
Note: Using an LDAP browser would be a more accurate test (i.e. provide a closer comparison) than would changing the password through Active Directory Users and Computers.
Make sure the new password is acceptable by attempting to change the password outside of SSPR, for example, through an LDAP browser.
Note: Using an LDAP browser would be a more accurate test (i.e. provide a closer comparison) than would changing the password through Active Directory Users and Computers.
Additional Information
These errors indicate that the attribute value we are attempting to write (i.e. the new password) violates constraints placed on the attribute by AD. Unfortunately, AD has no detailed error codes for errors setting passwords, just this one error, and it is not very clear. It can be caused by any of the following:
1) a time violation (too soon because of ad pw policy)
2) some AD pw policy violation - too short, or otherwise doesn't meet AD complexity
3) server hasn't been rebooted recently (domain controllers)
4) password history violation
Also related to this error it is important to understand that SSPR can't read all the AD password policies. Most importantly, it cant read GPO policies. SSPR can only read whats called 'fine grained' password policies from AD. So even though SSPR says a password meets the policy there maybe something it can't see.
1) a time violation (too soon because of ad pw policy)
2) some AD pw policy violation - too short, or otherwise doesn't meet AD complexity
3) server hasn't been rebooted recently (domain controllers)
4) password history violation
Also related to this error it is important to understand that SSPR can't read all the AD password policies. Most importantly, it cant read GPO policies. SSPR can only read whats called 'fine grained' password policies from AD. So even though SSPR says a password meets the policy there maybe something it can't see.