Code(-9202) followed by Unable to generate password: 9699 UNKNOWN ERROR

  • 7014667
  • 28-Feb-2014
  • 03-Jun-2015

Environment

NetIQ Identity Manager Engine Functionality

Situation

After installing eDirectory 887 patch 5 or 888 patch 1, in IDM the following error happens when using the random password generator noun in a policy.
Message: Code(-9202) Error in vnd.nds.stream(Driver name ....)-pub-cp-PublisherCreate#XmlData:32 : Unable to generate password: 9699 UNKNOWN ERROR DirXML Log Event ------------------- Driver: (Driver name....) Channel: Subscriber Status: Error Message: Code(-9202) Error in vnd.nds.stream:(Driver name....)/Subscriber/PasswordHandler#XmlData:237 : Unable to generate password: 9699 UNKNOWN ERROR

Resolution

In order for the random password noun in a policy to handle more complex password policies, it now looks at the entire policy rather than only parts of it.  This works unless you have a password policy that does not allow for passwords based on a items that would require the user to already exist.  For example excluding passwords in a password history.  The user does not yet exist so the error happens.  To overcome this problem do the following:
1) Create a new password policy which should be same as the existing password policy, excluding the rules that require a user lookup.
2) Do not assign this new password policy to the user container, rather use it only to generate the random password for users during the user add from IDM policies.
 

Additional Information

NOTE: Be careful of the option to Use Microsoft Complexibility because by default that checks users information.
Following is the definition of w2k8 password policy

1. 6 <= password length <= 512
2. At least one character from three of the five types of characters, uppercase, lowercase, numeric, non-alphanumeric characters, and other characters (unicode)
3. password can't contain full name or CN of user
4. password can't contain any of excluded passwords

Excluding checks for user specific attributes, this is almost equivalent to
the following XML password policy (npsmComplexityRules attribute). See
description:
<ComplexityPolicies>
<Policy>
<RuleSet>
<Rule MinPwdLen="6"/>
</RuleSet>
<RuleSet>
<Rule MaxPwdLen="512"/>
</RuleSet>
<RuleSet ViolationsAllo
<RuleSet ViolationsAllowed="1">
<Rule MinUppercase="1"/>
<Rule MinLowercase="1"/>
<Rule MinNumeric="1"/>
<Rule MinSpecial="1"/>
</RuleSet>
</Policy>
</ComplexityPolicies>
Note that the policy doesn't contain the fifth rule for unicode characters.

But the logic behind allowing one or more violations (3 out of 5) is to make it easier for the user to select a password. If a random password is being generated by NMAS, such a facility is not required. Having the password policy as follows will be good enough:

nspmMaximumLength: 6
nspmMaximumLength: 512 // set it to a smaller value for usability
nspmMinLowerCaseCharacters: 1
nspmMinUpperCaseCharacters: 1
nspmMinNumericCharacters: 1
nspmMinSpecialCharacters: 1

So, when a random password is being generated for a user who has been assigned a w2k8 policy, the NMAS w2k8 policy can be used. But when a random password (complying to w2k8 policy) is being generated from a NMAS password policy, the policy should have one of the above two forms. Basically, there have to be two separate policies.