"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator." #596
Comments
geoperez
added
the
help wanted
|
Hi, I have the same issue with the same warn message. warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0] I tested the connection between my server and one of my AD server on port 389 : all is fine. I tried to change almost all the options to test, but I can't find something. Many thanks. Edit : I changed the debug level from debug to Trace, and this is what I got : info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0] info: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2] trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2] trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[3] trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[3] trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[4] |
|
Hello, nobody has an idea please? Thanks. |
|
Hello, I had the same issue, |
|
@hkml2000 : Thank you for your solutions.
@edit : solved by adding only one group in restrictedAdGroup |
|
We fixed this by following the instructions here and setting the minimum password age to 0. It was previously set to 1 in our environment. |
|
I ran into the same error message this morning when testing passcore for my work environment and found what seems to be a bug. In the "PasswordChangeProvider", there is a method invoked to validate the groups of the users and at some point it looks for the appsetting "AllowedADGroups". Here is what the code looks like : The appsetting "AllowedADGroups" documentation says the following :
However, with the way it is currently written, it appears that if the array is empty, it will return an ApiErrorItem instead. That is because What I think could fix this issue is by either making it so As for me, I did apply the second fix (changing the condition) and I managed to successfully change the password of the AD accounts. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Looks like this should still be looked at... |
|
Same error on my AD domain/forest. Log files don't contain interesting information |
|
Have you tried changing minimum password age to 0? |
PassCore Server
OS: [Windows]
Provider: [Active Directory]
Settings file (without sensitive information):
{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
},
"WebSettings": {
"EnableHttpsRedirect": true
},
"AppSettings": {
// The following options for AD Provider (remove if you don't use this Provider)
"UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
"RestrictedADGroups": [
"Administrators",
"Domain Admins",
"Enterprise Admins"
], // Set the AD groups to restrict the use of PassCore
"AllowedADGroups": ["Domain Users"], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
"IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
"UpdateLastPassword": false, // Set true to allow PassCore to update the last password timestamp
// The following options are for LDAP Provider (remove if you don't use this Provider)
"LdapSearchBase": "ou=people,dc=example,dc=com",
"LdapSecureSocketLayer": false, // Default for AD is true when using LDAPS 636
"LdapStartTls": false, // Default for AD is true when using LDAP 389
"LdapChangePasswordWithDelAdd": true,
"LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
// General options (valid for both providers)
"LdapHostnames": [ "" ], // Set your hostname(s)
"LdapPort": 389, // Default for AD is 389, for LDAPS 636
"LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
"LdapPassword": "", // Set the password for the username
"DefaultDomain": "" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
},
"ClientSettings": {
"ValidationRegex": {
"EmailRegex": "^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$",
"UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
},
"UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
"MinimumDistance": 0, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
"PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
"ShowPasswordMeter": true,
"MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
"Recaptcha": {
"SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
"PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
"LanguageCode": "en"
},
"UseEmail": "true",
"ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
"ChangePasswordTitle": "Change Account Password",
"ChangePasswordForm": {
"HelpText": "If you are having trouble with this tool, please contact IT Support",
"UsernameLabel": "Username",
"UsernameHelpblock": "Your organization's email address",
"UsernameDefaultDomainHelperBlock": "Your organization's username",
"CurrentPasswordLabel": "Current Password",
"CurrentPasswordHelpblock": "Enter your current password",
"NewPasswordLabel": "New Password",
"NewPasswordHelpblock": "Enter a strong password. You can use this tool to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
"NewPasswordVerifyLabel": "Re-enter New Password",
"NewPasswordVerifyHelpblock": "Enter your new password again",
"ChangePasswordButtonLabel": "Change Password"
},
"ErrorsPasswordForm": {
"FieldRequired": "This field is required",
"UsernamePattern": "Please enter a valid username",
"UsernameEmailPattern": "Please enter a valid email address",
"PasswordMatch": "Passwords do not match"
},
"Alerts": {
"SuccessAlertTitle": "You have changed your password successfully.",
"SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
"ErrorInvalidCredentials": "You need to provide the correct current password.",
"ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
"ErrorInvalidUser": "We could not find your user account.",
"ErrorCaptcha": "Could not verify you are not a robot.",
"ErrorFieldRequired": "Fulfill all the fields.",
"ErrorFieldMismatch": "The passwords do not match.",
"ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
"ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
"ErrorScorePassword": "The password you are trying to set is not secure enough.",
"ErrorDistancePassword": "The password you are trying to set is not diferent enough of your last password.",
"ErrorPwnedPassword": "The password you are trying to use is publicly known and can be used in dictionary attacks."
}
}
}
Log file (without sensitive information):
[Microsoft.AspNetCore.Mvc.IActionResult] Post(Unosquare.PassCore.Web.Models.ChangePasswordModel) on controller Unosquare.PassCore.Web.Controllers.PasswordController (Unosquare.PassCore.Web).
warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
Describe the bug
To Reproduce
Steps to reproduce the behavior:
Tried setting the "AllowedADGroups" to "domain users" and also tried it default (empty), but none work
Expected behavior
A succesful password change is to be expected, but not working
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: