Return
-
Title
The PMSelfService site does not accept known, working passwords in the "Manage my Password" Workflow -
Description
In the PMSelfService site, it is possible to find users and reset their passwords using the "Forgot My Password" Workflow, but any Workflow which requires entering the current password will not accept a known, working password and just fails with the error:Username or password is incorrect.
In the verbose logging for the service, the following error message is encountered:
2024-08-31 16:59:37:266 E [14032:103] QPM.Service.Modules.ADHelpers.dll ADHelper.ValidateCredentials() >> 00002028: LdapErr: DSID-0C09032F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 -
Cause
LDAPS is required by policy on the target Active Directory Domain Controller, but LDAPS is not enabled on the Password Manager host.
NOTE: The relevant group policy on the target Active Directory Domain Controller is: Security Options | Domain controller: LDAP server signing requirements being set to Require signing -
Resolution
WORKAROUND 1
Enable LDAPS on the Password Manager host.
NOTE: This will affect all domain connections within Password Manager.
WORKAROUND 2
Change the policy on the target Active Directory Domain Controller so that unsigned LDAP communication is permitted.