5021 errors when activating users for SSPR

  • 7022529
  • 09-Jan-2018
  • 22-Jan-2018


Self Service Password Reset
SSPR 4.x


Users receive error 5021 when accessing the User Activation module at  https://whatever.com/sspr/public/activate
Users are not able to access challenge response questions through SSPR User Activation module
Problem occurs for users that have already logged in to the LDAP directory 
Problem does not occur for users that have never logged in to the LDAP directory


Don't use "User Activation" for users that have already logged into the LDAP directory.  Instead of pointing these users to   https://whatever.com/sspr/public/activate, have them access  https://whatever.com/sspr.  After authenticating they will be directed to setup their challenge response questions.

Additional Information

SSPR has three related modules that can easily be confused.  One requires authentication, the other two are public modules that can be accessed without authenticating to the LDAP directory.  They are as follows:

Authenticated Module:
- Change Password."   This module allows users to change existing LDAP passwords on their own directory user accounts.

Public Modules:

- New user registration."   This module allows users to create a new user account for themselves in the LDAP directory. It is accessed through  https://whatever.com/sspr/public/newuser

- "User Activation."  This module can be accessed through   https://whatever.com/sspr/public/activate.  It allows users who have been created in the directory, but have never logged in to the directory, to activate their LDAP account and set a password.  This module adds a password (and other items if specified as an activation or post activation action) to an existing but not yet used LDAP account.  Using this feature is sometimes referred to  "account claiming."  It is particularly useful after an administrator or an automated process has created an account but not specified a password.

The online docs for SSPR 4.2  include this statement about the User Activation Module: 
  “Configure the settings to allow only those users to activate their accounts that have never been authenticated.” 

 Note that the default "activation permission" filter for this module excludes users that have already logged in to the LDAP directory.  It includes this:  (!(lastLogonTimestamp=*))