Environment
Advanced Authentication 6.x
Situation
The password of local\admin expired, but the administrator can't login to the Enrollment Portal to change it. It's also not possible to use the Helpdesk portal to change the expired password. There are no external accounts added to the FULL ADMINS group. Thus, access to the AA Administrative Portal is locked.
Resolution
Note: It’s strongly recommended to create a snapshot before following the steps.
1. Get Event ID for the Authenticators Management event:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT id from event WHERE name='Authenticators Management';"
2. Get Chains assigned to the Authenticators Management event:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT * from event_logon_chain WHERE event_id='REPLACE BY EVENT ID FROM STEP 1';"
Please take a look on the number of rows at the bottom.
3. Get Chain ID for the Password Only chain:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT id, name, methods from logon_chain WHERE name='Password Only';"
4. Add the Password Only chain to the Authenticators Management event:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "insert into event_logon_chain (event_id, logon_chain_id, position, row_ver) values ('REPLACE BY EVENT ID FROM STEP 1', 'REPLACE BY CHAIN ID FROM STEP 3', 'REPLACE BY NUMBER OF ROWS FROM STEP 2', '2020-12-08 00:00:00.00000');"
This will add the chain to the next row.
Now, it's possible to login by the expired password to the Enrollment Portal and change the password.
Cause
The Password Only chain was removed for the Authenticators Management event.
Additional Information
The Password Only chain is used by members of the LOCAL repository including local\admin. It must not be removed for the Authenticators Management and AdminUI events.