User is prompted twice to change an expired password

  • 7017755
  • 21-Jun-2016
  • 07-Sep-2016

Environment

Client for Open Enterprise Server 2 SP4 (IR3)
Novell Client 2 SP4 for Windows
Domain Services for Windows (DSfW)

Situation

After enabling the "Force Grace Login Password Change" setting in the Client for Open Enterprise Server settings (forcing the user to change their password at the last grace login), the user is prompted twice to change their password.

The initial password change prompt:


The second password change prompt, displayed after the login script execution completes:


Note that the password is successfully changed after changing it the first time; responding to the second screen requires a second "new" password to be supplied.

Cause

The appearance of two password change prompts is due to the use of Domain Services for Windows (DSFW); and the fact that the Windows and eDirectory passwords are expiring at the same time.

The first password change prompt is in response to the expired DSFW password for the Windows user. After that password is changed and the login to eDirectory completes, the second prompt is presented so the user can change the eDirectory password. The reason it seems as if "the eDirectory account password was already changed" is because, in an OES DSFW domain, the Windows-only password change performed by NCCredProvider actually /has/ changed the eDirectory user password as well, because under DSFW these accounts are one and the same.

Micro Focus engineering is investigating the problem of "how best to handle various password changes scenarios when using DSFW and eDirectory."

There is currently no workaround to this in Novell Client code.  i.e. There is no option for skipping or "ignoring" the Windows account password expiration handling in the case where the Windows account is DSFW-based.

Status

Reported to Engineering