local/admin cannot change his expired password - changed chains

  • 7025152
  • 11-Jun-2021
  • 09-Sep-2021

Environment

Advanced Authentication 6.x

Situation

The password of local\admin expired, but the administrator can't login to the Enrollment Portal to change it. It's also not possible to use the Helpdesk portal to change the expired password. There are no external accounts added to the FULL ADMINS group. Thus, access to the AA Administrative Portal is locked.

Resolution

Note: It’s strongly recommended to create a snapshot before following the steps.
 
1. Get Event ID for the Authenticators Management event:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT id from event WHERE name='Authenticators Management';"
 
2. Get Chains assigned to the Authenticators Management event:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT * from event_logon_chain WHERE event_id='REPLACE BY EVENT ID FROM STEP 1';"
Please take a look on the number of rows at the bottom.
 
3. Get Chain ID for the Password Only chain:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "SELECT id, name, methods from logon_chain WHERE name='Password Only';"
 
4. Add the Password Only chain to the Authenticators Management event:
docker exec aaf_audb_1 psql -U root -d aucore_prod -P pager=off -c "insert into event_logon_chain (event_id, logon_chain_id, position, row_ver) values ('REPLACE BY EVENT ID FROM STEP 1', 'REPLACE BY CHAIN ID FROM STEP 3', 'REPLACE BY NUMBER OF ROWS FROM STEP 2', '2020-12-08 00:00:00.00000');"
This will add the chain to the next row.
 
Now, it's possible to login by the expired password to the Enrollment Portal and change the password.

Cause

The Password Only chain was removed for the Authenticators Management event. 

Additional Information

The Password Only chain is used by members of the LOCAL repository including local\admin. It must not be removed for the Authenticators Management and AdminUI events.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.