15.5 Troubleshooting User Issues with Self Service Password Reset

15.5.1 Obtaining the User Debug Information

Self Service Password Reset provides a tool that allows you to see a list of detailed information about a user to help troubleshoot many different issues. The User Debug tool displays the following information about a specific user account:

  • Profiles

  • Assigned modules

  • Permissions

  • Password policy defined in Self Service Password Reset

  • Password policy defined in the LDAP directory

  • Where the response information is stored

  • Challenge profile

This information helps you troubleshoot when users cannot log in or when users do not see the modules you have assigned to them.

To access the User Debug tool:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. Click the Administration module.

  3. Click More Options > User Debug.

  4. Specify the name of the user account you want to debug.

  5. View the information about the user to help troubleshoot issues.

  6. (Optional) Click Download to download a JSON file with the information to give to technical support.

Technical support might ask for this information to help troubleshoot issues. The troubleshooting bundle that you download for support contains a debug report for a couple of the last users that logged into Self Service Password Reset.

15.5.2 Users in Active Directory See Delays in Accessing the User Website

Issue: When the LDAP identity source is Active Directory, sometimes users see a delay when accessing the user website for Self Service Password Reset.

Solution: One of the major performance issues in an Active Directory network is the reverse DNS resolution. Disable Settings > Security > Application Security > Enable Reverse DNS. If the performance increases, then there are DNS issues in your network you must resolve to enable the reverse DNS resolution again.

If turning off the reverse DNS resolution does not work, access the logs and look at the timestamps and ensure time is synchronized between your Active Directory servers and the server running the Self Service Password Reset application.

15.5.3 Users Did Not Complete the Forgotten Password Process

Issue: A user started the forgotten password process and did not complete the process. The user cannot log in to Self Service Password Reset any longer.

Solution: When a user starts the password change process by clicking Forgotten password, a random password is generated and if the user cancels the process without completing it, the user cannot use the old password. This happens because Self Service Password Reset recognizes the random password that was created when the user clicked on Forgotten password.

To resolve this issue perform the following:

  • For Active Directory, you can enable the Use Proxy When Password Forgotten setting in the Configuration Editor under LDAP > LDAP Settings > Microsoft Active Directory.

  • For eDirectory and Oracle Directory Server, have the user start the forgotten password process again and complete the process. The forgotten password process forces the users to reset their passwords.

15.5.4 Helping Users Change the Default Language of Self Service Password Reset

There are two different options for you to have the users change the default language. The first option allows the users to change the default language and the second option is that you provide a URL that automatically displays the desired language.

  • Users click language option at the bottom of the Self Service Password Reset screen and select the desired locale. The language option displays the language that the page is currently using.

  • As an administrator, you can override the default language through the locale parameter by using a link to Self Service Password Reset. For example, http://sspr.example.com/sspr/?locale=sv.

This sets the locale to Swedish and overrides the browser locale settings.

15.5.5 How to Enable Windows Desktop to Support Forgotten Password Reset

Integration of Self Service Password Reset with Novell Client Login Extension (CLE) enables Windows desktop to support forgotten password reset.

CLE facilitates password self-service by adding a link to the Microsoft Credential Provider (MSCP), and Microsoft GINA login clients. When users click the Forgot Password link in their login client, CLE launches a restricted browser to access the Password Self-Service feature on the login clients. For more information about how to integrate CLE with Self Service Password Reset, see Client Login Extension User Guide.

15.5.6 How to Make Self Service Password Reset Honor the Active Directory Password History Policy

Forgotten Password recovery or reset is generally performed by using a proxy or administrator’s account in Self Service Password Reset. However, you can configure it to use the user's account while setting the forgotten password by disabling Use Proxy When Password Forgotten in the Configuration Editor under LDAP> LDAP Settings > Microsoft Active Directory. In this scenario, the Active Directory policy is disabled while changing the password.

However, this does result in a temporary password being set on the user's account just before they set a new password. This can cause issues if there is a minimum lifetime set for the password policy.