Local/Admin user cannot access AA Administrative portal - password forgotten or lost

  • 7023511
  • 09-Nov-2018
  • 21-Jun-2021

Environment

Advanced Authentication
AAF 6.x

Situation

Unable to login to Advanced Auth Admin page
Password for local\admin user has been lost or forgotten
Unable to access Administrative Portal after Admin password has been lost
How to reset Admin password

Resolution

If the local\admin password has expired  it can be recovered as documented in TID 7022003.

If the password for the local\admin account has been lost or forgotten, recovery can be more difficult.  Recovery options are as follows:


1.    Authenticate to the admin or help desk page with a different admin or help desk user and reset the forgotten password for user admin.    

Note this important note included in the online documentation for Advanced Authentication 6.1 at  https://www.netiq.com/documentation/advanced-authentication-61/server-administrator-guide/data/loggingintoadvancedauthentication.html
 
IMPORTANT: Password of local\admin account expires by default. For uninterrupted access to the Administration portal, it is strongly recommended to add authorized users or group of users from a configured repository to the FULL ADMINS role. Then you must assign chains, which contain methods that are enrolled for users, to the AdminUI event (at a minimum with an LDAP Password).

If no other admin or help desk users have been created, proceed to the other options below.

2. For Advanced Authentication version 6.3SP1 or newer, you can use either the support tool SLAnalyzer to reset the local\admin password or manually via an SSH session.

     2a. Download the support tool SLAnalyzer from: ftp://ftp.novell.com/pub/SLAnalyzer
           Download either SLAnalyzer.exe or SLAnalyzer.new. If downloading SLAnalyzer.new then rename to SLAnalyzer.exe after download completes.
           Run the SLAnalyzer.exe installer to install the tool SLAnalyzer
           After installation then run SLAnalyzer and navigate to Tools - Advanced Authentication - Reset Local Admin Pwd

          

    2b.  To manually force a reset via an SSH session, perform the following steps:  

1. “Login” to AuCore container 

docker exec -ti aaf_aucore_1 /bin/bash

2. Execute script “/opt/penv/bin/python $AUCORE_HOME/aucore/scripts/db_tools/dump/passwd.pyc $AUCORE_INI admin”:

root@dba5a0fd9ae8:/opt/AuCore# /opt/penv/bin/python $AUCORE_HOME/aucore/scripts/db_tools/dump/passwd.pyc $AUCORE_INI admin

Setting new password for admin

Password: 

Write TOP\LOCAL\ADMIN

3. Please be careful;  the script does not ask to confirm password.

      Note: For Advanced Authentication versions 6.0 - 6.2, Micro Focus Customer Services has a python script that can be used to reset an expired admin password on Advanced Authentication 6.x.   Open a service request and ask for this script and instructions for running it.


3. If the password was changed from a previous value, and that earlier password is known, revert the Advanced Authentication server to a VMWare snapshot taken with the previous password in place. If the server is in a cluster, revert each server in the cluster to snapshots taken at the same time (or as close to the same time as possible). Note that authenticator enrollments made after the date of the snapshot will be lost.

IMPORTANT:  Be sure to rollback all servers in the cluster to snapshots taken at or near the same time.  Reverting to a snapshot on just the global master may lead to unexpected behavior. This is not tested and the behavior cannot be predicted.


4.    If a backup was exported with a known admin password, start over and install a new appliance for a new global master server.  Then restore the database from a previously exported backup. Bring up other new servers to form the desired cluster and restore the database on these servers too.  The admin password that was in place at the time the backup was made is required to import and decrypt the backup.  See instructions for exporting and importing the database in the online documentation at  https://www.netiq.com/documentation/advanced-authentication-63/server-administrator-guide/data/t49ibqv7mw1s.html



Be sure to create additional admin or help desk users.