Forum Discussion

Martin_Robbins's avatar
Martin_Robbins
Icon for Nimbostratus rankNimbostratus
May 07, 2014

APM AD Query password change fails if User Display Name contains brackets ( )

Hello,

 

Does anyone have users in Active Directory that contain a set of brackets in the users' Display Name ?

 

I am not sure if I am going mad but we have found that we have some users that have something like (EXT) in their display name and when this user tries to change their password we get this delightful error in the apm log when the password change is attempted in the AD Query :

 

err apd[4851]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 715 Msg: EXCEPTION Unmatched ( or (

 

FAILS: User Display Name:Doe John, ABC-DEF-XYZ (EXT)

 

WORKS: User Display Name:Doe John, ABC-DEF-XYZ

 

Assuming this is a bug I will open a case but "I can't believe it .."

 

thanks,

 

APM
deployment
microsoft
security
TMOS

3 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    May 07, 2014

    This is likely defect ID 442699. The problem occurs when Password Complexity Check function is enabled and displayName contains certain special characters.

     

    Please mention this to support. The problem will be fixed in upcoming rollup hotfix packages, including 11.4.1 hf4.

     

    In the meantime, you should be able to disable "Complexity check for Password Reset" to work around the problem.

     

  • Martin_Robbins's avatar
    Martin_Robbins
    Icon for Nimbostratus rankNimbostratus
    May 07, 2014

    That is exactly the issue, when I disable the complexity check then the password change goes through successfully.

     

    thanks

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    May 07, 2014

    Super! Thanks for the confirmation. The password complexity check feature essentially enables APM to do some special queries to determine if the proposed password from the user matches the policies in AD. With it enabled, the user will get an error before the password change is attempted if the complexity requirements are not met. If it's disabled, then the user will attempt the password change, but it will fail if complexity is not met.