Skip to main content
Waters Employee Login
 
Waters

Error "[NG14624] The password you used to log in has expired" when logging in to NuGenesis SDMS and the "Password never expires" attribute is cleared in Active Directory - WKB45960

  1. Last updated
  2. Save as PDF
Article number: 45960

SYMPTOMS

  • The following error message appears when logging in to an SDMS client application with an LDAP user ID:
    • [NG14624] The password you used to login has expired. Please contact your system administrator.
  • The error occurs when the "Password never expires" option is cleared in a user's account in Active Directory
  • If the "Password never expires" option is activated for the user account, the error message does not appear, and the user can log in to SDMS

ENVIRONMENT

  • NuGenesis 9 SDMS
  • NuGenesis 8 SDMS
  • SDMS is configured for LDAP authentication with a Microsoft Active Directory server on Windows Server 2008 or later

CAUSE

Either the user's password is expired (as determined by the "pwdLastSet" user account attribute and the "maxPwdAge" server attribute), or the maxPwdAge attribute is set to a value that SDMS cannot translate to a time interval. One such value is "0".  Semantically, this value means "never expire" within Active Directory, but SDMS still tries to translate 0 to a time interval and fails. MaxPwdAge=0 is commonly used when fine-grained password policies are active in the domain.

FIX or WORKAROUND

This issue is fixed in NuGenesis 9 SDMS.

For NuGenesis 8: first establish the current maxPwdAge setting for the server:

  1. On the DC, open Control Panel > Administrative Tools > Group Policy Management.
  2. Expand Group Policy Management > Forest: name > Domains > domain-name.
  3. Select "Default Domain Policy".
  4. Click the Settings tab.
  5. Right-click on the Default Domain Policy and click Edit.
  6. In the Group Policy Management Editor window, expand Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
  7. Record the value of "Maximum password age". The expected range of values is "never" (0) or 1 to 999 days.
  8. If the value is "never", SDMS will not allow the user to log in, as it cannot translate the maxPwdAge value to a time interval. This is registered as defect CRI-66.  Workarounds:
    • Set the maxPwdAge to 999 days in the Default Domain Policy; or
    • Set the Directory Server Type in SDMS Administrator to "Sun Directory Server / iPlanet" and reset the authentication attribute to sAMAccountName

Determine the date when the password was last set for the user:

  1. Download and install the LDAP Browser tool on a client machine
  2. Configure a connection in LDAP Browser with the same connection parameters.
  3. Browse the directory tree until you find the user account in question.
  4. Scroll through the attributes list in the right-hand pane of the browser window for "pwdLastSet".
  5. Record the date/time stamp in pwdLastSet.
  6. If the pwdLastSet date + the time interval from maxPwdAge is less than the current date, the password is expired.

ADDITIONAL INFORMATION

Defect CRI-66 / INFLMS-6822 has been filed for this issue.

id45960, SDMS, SDMS8, SDMS8NU, SUPISDMS, SUPNG

Not able to find a solution? Click here to request help.