Password change for users with cheked account option „User must change password at next logon“

[Edvinas2]

Hello,
I want to ask abaut password reset for new Windows server 2016 users. I have configured Self Service Password tool. This tool is working. But if i want to change password for user with cheked account option „User must change password at next logon“ Self Service shows the error „Login or password incorrect“.
With unchecked „User must change password at next logon“ account option service is working.

„User must change password at next logon“ account option i need for all new users. For change they password at first login with 2 diferend ways. First one is standard at first login in operating system. Second is with self service.

[coudot]

Hello,

If you set AD mode in configuration, this should work by default. We have a code that catches the "User must change password at next logon" and allows password change :

self-service-password/pages/change.php

Line 142 in 4645d1c

if ( strpos($extended_error[2], '773') or strpos($extended_error[0], 'NT_STATUS_PASSWORD_MUST_CHANGE') ) {

[Edvinas2]

The situation shown above is with $ad_mode = false;
With $ad_mode = true; system shows error "Password was refused by the LDAP directory"

[coudot]

As the BIND does not succeed in this case, the password is changed with the $ldap_binddn which should have the right to do it.

[Edvinas2]

$ldap_binddn is the member of administrators; domain admins, enterprise admins, schema admins. Localy with this user i can change passwords and finaly this bind user working in $ad_mode = false;
Maybethis option is wrong? $hash = "clear";

[coudot]

You can have more logs by setting $debug = true in configuration.

[Edvinas2]

Error log:
Notice: Undefined variable: hash in C:\xampp\htdocs\self-service\pages\change.php on line 172
Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in C:\xampp\htdocs\self-service\lib\functions.inc.php on line 389

[Edvinas2]

Hash fixed to $hash = "auto";
Still have this error:
Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in C:\xampp\htdocs\self-service\lib\functions.inc.php on line 389

[coudot]

It may just be AD which refuses the password (not complex enough)

[Edvinas2]

In my password policy is only 8 character at least and password history for 24 password. Im entering different passwords with 8 characters.

[Edvinas2]

When the user do not have rights to change password message is: Warning: ldap_mod_replace(): Modify: Insufficient access in C:\xampp\htdocs\self-service\lib\functions.inc.php on line 389
But here is Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in C:\xampp\htdocs\self-service\lib\functions.inc.php on line 389.

[coudot]

Unwilling to perform is returned by AD if connection is on LDAP and not LDAPS or password quality is too low.

[Edvinas2]

Thank you. I have found the solution. In fact it was related to LDAPS.

[smegnl]

can you expand on what your solution was? Am having same issue.
$ad_mode = true;
$ad_options['change_expired_password'] = true;

Get Pasword was refused if change password is checked.