ECTS user can't set their password

Topics: Internet/Extranet Edition
Sep 18, 2008 at 9:10 PM
Through the External user manager web part I can use the reset password option to reset the password with out any issue. 

If the user then goes into the "Update Your Account Information" and tries to set their password they get the error "The new password does not meet password history or complexity requirements."

I have tried using a simple password to one that was randomly generated, 20 characters long with mixed case numbers and punctuation.  None of them have worked.

Does anyone have any suggestions of ideas what is going wrong?
Sep 22, 2008 at 3:25 PM
I came across this issue as well.....i know that the password requirements syncs with the server side settings of your domain.....Whatever your domain policy is, is what the password requirement is for the passwords.  Hope that helps......
Sep 22, 2008 at 4:03 PM
Edited Sep 22, 2008 at 4:06 PM
Thanks for the response.  I am trying to use the ADAM instance as a stand alone user store only for external users, it is not set to sync with any domain.  Are the password policies something that is inherited from the servers domain even if I have not set up any synchronization with the domain?  If the password policies are inherited then I am still at a loss because the passwords I used fit the domain password policies.

Also the reset password function works just fine.  I have tried using passwrds similar to the ones that are generated by the reset password and they still dont work.
Sep 22, 2008 at 4:26 PM
Password policies are inherited from the domain server.......My test environment is setup the same way with ADAM instance.....And all seems to be working fine......You can check your default policy on your server that is running ADAM and sharepoint to see if the policy matches your domain policy.....which it should match since its on the domain.....If you modified any policy on the domain controller, restart your sharepoint/adam server so it can inherit you new policy settings....thats what i had to do in my environment.....
Sep 26, 2008 at 4:23 PM

So after a support case with Microsoft I have gotten to the bottom of my issue.  The password policy for the Active Directory domain that the server with ADAM installed is in had been recently changed to require a minimum password age of 7 days. 

The code of this solution uses the Invoke method on the DirectoryEntry object for the user.  For the admin function of reset password it invokes "SetPassword" and for the user password change it invokes "ChangePassword".  The "SetPassword" requires elevated privileges on the DirectoryEntry object and only takes a single paramater of the new password and is not subject to the password policy restrictions.  The "ChangePassword" can be called by the user and requires the original password to be passed and is limited by the password policies. 

When either "SetPassword" or "ChangePassword" are used the the password change time stamp is updated so with the 7 day minimum password age I can't use "ChangePassword" for 7 days after it has been set.

The password policies in ADAM are inherited from the machine that it is installed on.  If the machine it a stand alone machine or in a workgroup you can set the policies locally otherwise they are controlled by the domain the machine is a part of.

This leaves you with 2 options.

This first is drastic and not what I would consider a real solution in most cases.  You disable the password policy inheritance either through the ADAM ADSI Edit attaching to the Configuration container. In the Config container expand the Services, Windows NT, Directory Service object. On the Directory Service object right click and go to properties. Find the attribute ADAMDisablePasswordPolicies and set its value to 1.  You can also use teh dsmgmt.exe command line tool.  The command line tool is a little odd to use.  Here is a transcript of how you would change the value through the dsmgmt.exe tool:
dsmgmt.exe: Configurable Settings
configurable setting: Connections
server connections: Connect to server localhost:389
Binding to localhost:389 ...
Connected to localhost:389 using credentials of locally logged on user.
server connections: quit
configurable setting: Set ADAMDisablePasswordPolicies to 1
configurable setting: quit
dsmgmt.exe: quit

At this point restart the instance of ADAM and none of the password policies will be enforced.

The second option is to change the password policies on the server where ADAM is installed.  If it is a stand alone machine or in a workgroup that is easy just go into Local Security Policy editor and chnge the policy.  If it is part of the domain you will have create a new OU and place the machine into it then define a new password policy for the machines in that OU.

Sep 26, 2008 at 5:01 PM
Wow, that's great information.  Thanks for passing it along! 

Oct 10, 2009 at 7:50 AM

   Iam also facing the same problem, If anyone able to sort this out please let me know what and how to do. till yesterday it worked fine.

When i login iam directly redirecting to "Update your security Profile" page and when i try to set a new password it is prompting me error message as

"The new password does not meet password historyor complexity requirements."

Please help me in this case.

Thanks in advance

Nov 6, 2009 at 2:42 AM

What is the password policy of the AD domain that the machine that you have ADAM installed on?  If you do not want to disable the password policy like I posted before then you have to conform to the existing policy.  

To change the ADAM password policy you have to change the domain password  policy but if you are ActiveDirectory in 2008 mode you can define a separate password policy and assign it to the machine you are using for ADAM.