Local/Admin user cannot access AA Administrative portal - password forgotten or lost

  • 7023511
  • 09-Nov-2018
  • 09-Nov-2018

Environment

Advanced Authentication
AAF 6.x

Situation

Unable to login to Advanced Auth Admin page
Password for local\admin user has been lost or forgotten
Unable to access Administrative Portal after Admin password has been lost

Resolution

If the local\admin password has expired  it can be recovered as documented in TID 7022003.

If the password for the local\admin account has been lost or forgotten, recovery can be more difficult, and may or may not be possible.  Recovery options are as follows:


1.    Authenticate to the admin or help desk page with a different admin or help desk user and reset the forgotten password for user admin.    

Note this important note included in the online documentation for Advanced Authentication 6.1 at  https://www.netiq.com/documentation/advanced-authentication-61/server-administrator-guide/data/loggingintoadvancedauthentication.html
 
IMPORTANT: Password of local\admin account expires by default. For uninterrupted access to the Administration portal, it is strongly recommended to add authorized users or group of users from a configured repository to the FULL ADMINS role. Then you must assign chains, which contain methods that are enrolled for users, to the AdminUI event (at a minimum with an LDAP Password).

If no other admin or help desk users have been created, proceed to the other options below.


2. If the password was changed from a previous value, and that earlier password is known, revert the Advanced Authentication server to a VMWare snapshot taken with the previous password in place. If the server is in a cluster, revert each server in the cluster to snapshots taken at the same time (or as close to the same time as possible). Note that authenticator enrollments made after the date of the snapshot will be lost.

IMPORTANT:  Be sure to rollback all servers in the cluster to snapshots taken at or near the same time.  Reverting to a snapshot on just the global master may lead to unexpected behavior. This is not tested and the behavior cannot be predicted.


3.    If a backup was exported with a known admin password, start over and install a new appliance for a new global master server.  Then restore the database from a previously exported backup. Bring up other new servers to form the desired cluster and restore the database on these servers too.  The admin password that was in place at the time the backup was made is required to import and decrypt the backup.  See instructions for exporting and importing the database in the online documentation at  https://wwwtest.netiq.com/documentation/advanced-authentication-61/server-administrator-guide/data/t45ayj2v6ab8.html#t4796pbr6fg0


4.    Start over and install a new Advanced Authentication environment.  Be sure to create additional admin or help desk users.