Users get error -1665 attempting to change their Universal Password.

Installed and enabled Universal Password
Users get error -1665 attempting to change their Universal Password.

Fixed in NMAS version 2.3.5.1 - apply the most current version of NMAS in order to obtain this and the latest fixes for NMAS.

Universal Password includes several new attributes that are ultimately encrypted using the SDI tree key. If the Security Domain is not functioning properly, these attributes will not be correctly generated, and then it will be impossible for the user to change their password.

In one case, there were two eDirectory trees linked via DirXML. All users were synchronized bidirectionally between the two trees. Users are required to change their passwords in the "Workforce" tree, and those changes would sync to the other tree. The Tree keys weren't present on all servers in the "Workforce" tree, and the others only had 56-bit keys. Universal password needs the 168-bit keys for proper operation.

See Using SDIDiag to gather specific SDKey information from serversfor instructions on how to tell if your Security Domain Infrastructure is properly synchronized and operating. Note particularly in the process.txt output that every server has the same key, and that it is a 168 bit key. If you need to generate new keys for your tree, see Using SDIDiag - Switches and Options, and look particularly at the SD command with the -G option.

Often, even once the Tree keys have been properly generated or synchronized, users will continue to experience the same error, because their existing universal password data was corrupted by using the previously bad tree key. In this case, if it is not too much trouble, you can just delete and re-create the affected user objects. In the above case, there were user objects present in two trees, and only one tree had bad tree keys, so you could delete the user object from that tree and allow it to resynchronize from the other tree.

Formerly known as TID# 10093969