Unable to change Universal Password Error 0xfffffec1 "Access Denied"

This document (7011585) is provided subject to the disclaimer at the end of this document.

Environment

Novell eDirectory 8.7.3
Novell Modular Authentication Service version 2.3
NMAS 2.3
Nsure Identity Manager 2.0
Universal Password
Password Policies
Password Policy set to require unique passwords
Option chosen to "limit the number of passwords to store in the history list"

Situation

Unable to change Universal Password
Error -1696 changing Universal Password through Portal

Error -1696 changing Universal Password in NMAS trace

"Access Denied" when attempting the change the password through the Novell Client
Error 632 (system failure) changing Universal Password in ConsoleOne
When changing the password with the NetWare client, the following error is returned: "The attempt to change the password failed. The error code was 0xfffffec1 (-319).
In iManager -> Password Management -> Set Universal Password, the following error is returned: "Error: Password error The Set Password request failed."
In iManager -> eDirectory Administration -> Modify Object -> Restrictions tab on a user -> Set Password, the following error is returned: "Error: NDS Error -632 (Error -632) Unexpected results have occurred.
If the number of passwords to store is set to 3, an error will be returned when attempting to set the fourth password.

Resolution

Working as designed. Once the password history is full then the user is not allowed to change the password until a password in the password history has expired. This is to prevent a user from changing the password until the old password is no longer in the password history so that he/she can use it again.

This is commonly seen when the password policy does not have a value listed for "Remove password from history list after: " and the password has been changed several times before the password is set to expired according to the "Number of days before password expires" in the password policy. Not the password expiration date for the user. If no value is set for "Remove password from history list after: "and the password history is full, the -1696 error will be returned in an NMAS trace.

See TID 7009602 for capturing a NMAS trace from the server and TID 3331372 for getting an NMAS trace from the client.

Options to resolve:
a. Set the "Limit the number of days to store a password in the history list" of the password policy to 0. On the next password change (which will be allowed), the nspmPasswordHistory will be cleared with only the last password change stored.

b. Increase the number of passwords that may be stored. Bear in mind that this may only be a temporary fix if the number of password changes exceeds this setting within the amount of time specified in the "Limit the number of days to store a password in the history list" of the password policy.

c. The best option is to set a reasonable combination of values for the "Limit the number of days to store a password in the history list" and the number of passwords remembered. If it is common to make 30 password changes on a user in week for your environment, don't set it to remember 10 passwords for 30 days. If you don't want users to reuse the same password for at least 1 year, then a reasonable configuration would be to set the number of passwords to be remembered to be (approximately) 365 divided by the number of days until a password will expire under normal circumstances. For example, if your passwords expire every thirty days, then reasonable values might be 12 to 15 passwords stored. Note also that if you aren't concerned about storage space, you need not limit the number of passwords stored at all, and each changed password will be stored for the full time of the password history limit ("Limit the number of days to store a password in the history list").

Additional Information

1696 0xFFFFF960 NMAS_E_PASSWORD_HISTORY_FULL
The password change failed because the password history for the user cannot store any more passwords.

If unique passwords are required and the option is chosen to "limit the number of passwords to store in the history list," an attribute will be created on the user object called nspmPasswordHistory. A user's previous passwords are stored as values of this attribute. When the number of passwords entered in the nspmPasswordHistory matches the defined number of passwords to store, no more password changes will be allowed for that user. These passwords will be stored for the period of time specified in the "Limit the number of days to store a password in the history list" of the password policy. The rationale for limiting password history is to save storage space. The rationale for rejecting user password changes if the history is full is to prevent users from changing their password X times (where X is the number of passwords saved in the history), then going back to their "old favorite" password, which is no longer in the history list.

On the remote loader trace (level 3) of a connected system (AD is used in this example), the following error is seen when trying to set the password in the connected system and sync it to eDir:

DirXML Log Event -------------------
Driver = Some Driver
Thread = Publisher Channel
Level = error
Message = Code(-9010) An exception occurred: novell.jclient.JCException: generateKeyPair -632 ERR_SYSTEM_FAILURE<operation-data>
<password-publish-status>
<association>85f59fc3ae818042b2700c66eee31ad2</association>
</password-publish-status>
</operation-data>
Formerly known as TID# 10092158

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:7011585
Creation Date:07-JAN-13
Modified Date:07-JAN-13
- NovellNMAS (Modular Authentication Service)
  Client
  Open Enterprise Server
  Open Workgroup Suite - Small Business Edition (NOWS SBE)
- SUSESUSE Linux Enterprise Server
- NetIQeDirectory

Did this document solve your problem? Provide Feedback