Unable to login to SSPR after cancelling Forgotten Password

  • 7024273
  • 19-Nov-2019
  • 19-Nov-2019


SSPR 4.x


Unable to login to SSPR after cancelling password change in Forgotten password.
Password no longer works after starting but not completing password change.  


This problem is documented here:

SSPR binds to LDAP and creates a random password when a user clicks the Forgotten password link.  After that the old password is no longer valid.  If the user cancels the process without completing it, the password will remain at the random value created by SSPR, and will be unknown to the user. 

To resolve this problem do the following:
  • For Active Directory environments, enable the setting  "Use Proxy When Password Forgotten" in SSPR Configuration Editor under LDAP > LDAP Settings > Microsoft Active Directory.
  • For eDirectory and Oracle Directory Server, have the user start the forgotten password process again and complete the process. At the end of the process users will be forced to change their password to a value they know.

Additional Information

There are two ways to change an LDAP password;   password reset and password change.  A password change is done as the user.  A reset is made by the administrator and does not require knowledge of the old password.

When the user clicks the Forgotten Password link, SSPR does the following:
  • Prompts for user name
  • Depending on settings, prompts for challenge responses or otherwise verifies the user’s identity. 
  • Performs an LDAP bind as the SSPR Proxy User  (this user must have rights to reset passwords in the directory).
  • Does an LDAP password reset (admin reset) and sets the password to a random value.

  • Prompts the user to change the password.
  • User enters a new password
  • SSPR does an LDAP bind as the user
  • SSPR does an LDAP password change (user level change) 
With the setting "Use Proxy When Password Forgotten"  enabled, SSPR skips setting the random password, binds as the SSPR Proxy User and does an LDAP password change instead of an LDAP password reset. This is only possible in an AD environment.  In AD an Admin user can do a password change as well as a password reset; this is a fairly common approach for applications to use.   eDirectory, however, does not allow an admin user to do a password change; only a reset.