Users are unable to change their passwords through various means. Affected services could include
- SSPR end-user web portal error: "New password does not meet requirements. Please try using a different password."
- OES Client
- iManager Directory Administration
- ldapmodify to change Universal Password
Recently, the Identity Manager (IDM) Active Directory Driver was upgraded.
An ndstrace with [TIME, TAGS, NMAS, AUTH] flags enabled shows error -16050 when the password change is attempted.
Delete the "SAS:Login Configuration Key" attribute on each affected user. Workstations running the OES Client should be patched to IR10 or newer.
Investigation into root-cause is ongoing, but it appears that the newer Active Directory driver causes the above-mentioned attribute to become corrupt after syncing passwords between AD and the Identity Vault (eDirectory). (speculation as the Active Directory driver does not synchronize the "SAS:Login Configuration Key")
This issue is not seen when the option "Synchronize Simple Password when setting Universal Password" is unchecked (default) in the Universal Password Configuration Options in the Password policy assigned to the user.