5021 errors when activating users for SSPR

Users are not able to access challenge response questions through SSPR User Activation module

Problem occurs for users that have already logged in to the LDAP directory 

Problem does not occur for users that have never logged in to the LDAP directory

SSPR has three related modules that can easily be confused.  One requires authentication, the other two are public modules that can be accessed without authenticating to the LDAP directory.  They are as follows:

Authenticated Module:

- “Change Password."   This module allows users to change existing LDAP passwords on their own directory user accounts.

Public Modules:

- “New user registration."   This module allows users to create a new user account for themselves in the LDAP directory. It is accessed through  https://whatever.com/sspr/public/newuser

- "User Activation."  This module can be accessed through   https://whatever.com/sspr/public/activate.  It allows users who have been created in the directory, but have never logged in to the directory, to activate their LDAP account and set a password.  This module adds a password (and other items if specified as an activation or post activation action) to an existing but not yet used LDAP account.  Using this feature is sometimes referred to  "account claiming."  It is particularly useful after an administrator or an automated process has created an account but not specified a password.

The online docs for SSPR 4.2  include this statement about the User Activation Module: 

  “Configure the settings to allow only those users to activate their accounts that have never been authenticated.” 

 Note that the default "activation permission" filter for this module excludes users that have already logged in to the LDAP directory.  It includes this:  (!(lastLogonTimestamp=*))