SSPR does not show Microsoft complexity rules

  • 7016421
  • 14-Apr-2015
  • 15-Nov-2016

Environment

Self Service Password Reset
SSPR 3.2
eDirectory environment
Password policy source set to LDAP (eDir)

Situation

Microsoft complexity rules are not displayed on the SSPR Change Password page.
MS Complexity rules are applied when the user attempts a password change, but are not shown.

Configuration:
  - SSPR Config manager -->Settings --> Password Settngs--> Password Policy Source = "LDAP"
  - Ldap points to eDirectory server
  - In iManager "Password" plugin,  Universal Password policy is set to "Use Microsoft Complexity Rules" on the "Universal Password" tab of the password policy.

Resolution

Workaround:
Do both of the following:

1. Enable "Enforce Microsoft-AD 2003 Password Complexity" in SSPR Configuration Manager
Profile --> Password Policy Profiles --> Enforce Microsoft-AD 2003 Password Complexity

2. Configure SSPR to use the local policy as well as the LDAP policy:  
SSPR Config manager -->Settings --> Password Settngs--> Password Policy Source =  "Merge Local and LDAP (default)"


Password complexity rules will then be applied, but will still not be displayed.  Microsoft does not provide APIs for reading the complexity settings.  Manually set the text of the password policy to show as desired by editing the  "Password Rule Text" on the SSPR policy. (SSPR Config manager -->Profile --> Password Policy Profiles -->"Password Rule Text






Additional Information

Additional Information:

The bullet list that is auto-generated by SSPR doesn't always list all the details of the user's policy, but is should provide all that is needed for changing their password. The feedback given while the user types gives precise messages for specific violations.  

You can override the bullet list by setting the SSPR setting "Password Rule Text" on the SSPR policy. (SSPR Config manager -->Profile --> Password Policy Profiles -->"Password Rule Text)



To see the precise policy read from LDAP or constructed by a merge, look at a debug.log file from the SSPR troubleshooting bundle captured while the user logs in to SSPR and changes password (see TID 7014795, "How to enable logging for SSPR" )


Note:
MS Password Complexity rules are a standard set of requirements, not settings read from the current AD configuration.
This Microsoft TechNet article lists the Password Complexity requirements for Win 2003 servers:   https://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx

Feedback service temporarily unavailable. For content questions or problems, please contact Support.