Environment
Situation
User navigates to the SSPR login page
Clicks the forgotten password link
The user is presented with their challenge answers
The user provides the correct answers
The server returns the error 5027 ERROR_UNAUTHORIZED
Resolution
There is a current enhancement entered against SSPR to fix this condition. (cast all LDAP specifiers to lower case) but due to time restraints it hasn’t been fixed yet. Make sure to use the same case when configuring the LDAP specifiers. Use all lower case or all upper case. IE (CN, DN, O, OU) or (cn, dn, o, ou)
Cause
The problem is due to the use of mixed character case between the SSPR LDAP settings.
In the setting password.allowChange.queryMatch the customer had the value of
{"ldapProfileID":"default","ldapQuery":"(objectClass=*)","ldapBase":"o=NOVELL","type":"ldapQuery"}
This should be ok but in the setting ldap.rootContexts they had the value of
O=NOVELL
The problem is with the character case of the LDAP organization specifier. O=NOVELL vs o=NOVELL.
To resolve this issue, either change the root context value to o=NOVELL or change the queryMatch to O=NOVELL