Forgotten Password Module PWM 5006 The username is not valid or is not eligible to use this feature

[cha...@gmail.com]

I have seen this issue pop up in the discussion forums multiple times, but there is either no confirmed answer or the thread is no longer active.

I have PWM setup with Tomcat 7, Java 1.8, and using Active Directory for authentication. Currently only using LocalDB to store responses while testing and PWM had been working fine until I started configuring some challenges. I assume this is what caused the issue as the logs point to challenges being the issue. I can successfully change my password by logging into the portal with my current password and going through the Change Password prompts. If I click Forgotten Password and enter in my username(in this case, username being UPN), I receive the following message:


PWM 5006

The username is not valid or is not eligible to use this feature


I have the logs set to TRACED and LDAP wiretrace enabled. I can see that my username gets processed successfully, but something about the challenge responses are not set correctly or in a way that PWM does not like:

2015-10-13T11:01:13Z, TRACE, ldap.LdapPermissionTester, {23} begin check for ldapQuery match for UserIdentity{"userDN":"myUsername","ldapProfile":"default"} using queryMatch: (objectClass=*) [192.168.1.118]
2015-10-13T11:01:13Z, TRACE, ldap.LdapPermissionTester, {23} queryMatch check is guaranteed to be true, skipping ldap query [192.168.1.118]
2015-10-13T11:01:13Z, DEBUG, ldap.LdapPermissionTester, {23} user UserIdentity{"userDN":"myUsername","ldapProfile":"default"} is a match for '(objectClass=*)' [192.168.1.118]
2015-10-13T11:01:13Z, TRACE, operations.CrService, {23} beginning read of user response sequence [192.168.1.118]
2015-10-13T11:01:13Z, DEBUG, operations.CrService, {23} will attempt to read the following storage methods: ["LOCALDB"] for user myUsernamel [192.168.1.118]
2015-10-13T11:01:13Z, TRACE, ldap.LdapOperationsHelper, {23} read VENDORGUID value for user EntryDN: myUsername: 9ee039ccf3f708469d81c450285753c1 [192.168.1.118]
2015-10-13T11:01:13Z, TRACE, operations.CrService, {23} attempting read of responses via storage method: LOCALDB [192.168.1.118]
2015-10-13T11:01:13Z, DEBUG, cr.LocalDbCrOperator, found user responses in LocalDB: ChaiResponseSet: state(READ) ChallengeSet: (ChallengeSet identifier: PWM-defined [Version Missing], minRandom: 1, locale: en, (Challenge: {"challengeText":"What are the last four digits of your social security number?","minLength":4,"maxLength":4,"adminDefined":true,"required":true,"maxQuestionCharsInAnswer":0,"enforceWordlist":false}) (Challenge: {"challengeText":"What is your birthday? (MMDDYY format)","minLength":6,"maxLength":6,"adminDefined":true,"required":false,"maxQuestionCharsInAnswer":0,"enforceWordlist":false}) ), format()
2015-10-13T11:01:13Z, DEBUG, operations.CrService, {23} returning responses read via method LOCALDB for user myUsername [192.168.1.118]
2015-10-13T11:01:13Z, FATAL, servlet.AbstractPwmServlet, 5006 ERROR_RESPONSES_NORESPONSES (stored response set for user 'UserIdentity{"userDN":"myUsername","ldapProfile":"default"}' do not meet current challenge set requirements: too few challenges are required)
2015-10-13T11:01:13Z, ERROR, http.PwmRequest, {23} 5006 ERROR_RESPONSES_NORESPONSES (stored response set for user 'UserIdentity{"userDN":"myUsername","ldapProfile":"default"}' do not meet current challenge set requirements: too few challenges are required) [192.168.1.118]
2015-10-13T11:01:13Z, TRACE, http.PwmResponse, {23} forwarding to /WEB-INF/jsp/error.jsp [192.168.1.118]


Here's my configuration file pertaining to the challenges:

<setting key="recovery.verificationMethods" syntax="VERIFICATION_METHOD" profile="default" syntaxVersion="0" modifyTime="2015-10-06T17:02:52Z" modifyUser="">
      <label>Verification Methods</label>
      <value><![CDATA[{"methodSettings":{"PREVIOUS_AUTH":{"enabledState":"disabled"},"ATTRIBUTES":{"enabledState":"disabled"},"CHALLENGE_RESPONSES":{"enabledState":"required"},"TOKEN":{"enabledState":"disabled"},"OTP":{"enabledState":"disabled"},"REMOTE_RESPONSES":{"enabledState":"disabled"},"NAAF":{"enabledState":"disabled"}},"minOptionalRequired":0}]]></value>
</setting>
<setting key="challenge.requiredChallenges" syntax="CHALLENGE" profile="default" syntaxVersion="0" modifyTime="2015-10-06T19:39:47Z" modifyUser="">
      <label>Required Questions</label>
      <value><![CDATA[{"text":"What are the last four digits of your social security number?","minLength":4,"maxLength":4,"adminDefined":true,"enforceWordlist":false,"maxQuestionCharsInAnswer":4,"points":0}]]></value>
      <value><![CDATA[{"text":"What is your birthday? (MMDDYY format)","minLength":6,"maxLength":6,"adminDefined":true,"enforceWordlist":false,"maxQuestionCharsInAnswer":6,"points":0}]]></value>
</setting>
<setting key="challenge.randomChallenges" syntax="CHALLENGE" profile="default" syntaxVersion="0" modifyTime="2015-10-06T19:39:28Z" modifyUser="">
      <label>Random Questions</label>
</setting>

I only want my users to be able to answer the above questions for their responses. I have no random questions, which is why I put the above in required. I have Minimum Random Required and Minimum Random Challenges Required During Setup set to 2, as I have only two questions that users must answer.

I really hope someone can point me in the right direction on this as I almost have PWM configured as I'd like.


Thanks!

[cha...@gmail.com]

I think I've got the issue figured out. In PwmConfiguration.xml, there was this setting that had the value of 2 in it:

<setting key="challenge.minRandomsSetup" syntax="NUMERIC" profile="default" syntaxVersion="0" modifyTime="2015-10-13T15:28:41Z" modifyUser="default">
      <label>Minimum Random Challenges Required During Setup</label>
      <value>2</value>
    </setting>

I assume that since I had REQUIRED questions rather than RANDOM questions set, it was causing PWM to error out like like this. I hope this helps anyone who experiences the same issue as I. This just goes to show you that you should be careful when customizing PWM to your liking.