Error changing password after already logged in.

16 views
Skip to first unread message

Cleiton Mafioletti

unread,
Oct 9, 2025, 3:58:10 PM (12 days ago) Oct 9
to pwm-general

Hello,

When we were using PWM version 1.8.0, due to our internal Group Policy (GPO) configuration, our users were not allowed to change their own passwords directly in Active Directory.

To work around this limitation, we implemented a custom modification in the PWM source code so that the technical user “pwmproxy”, which has the necessary permissions, would perform the password change on behalf of the end user. Thus, whenever a user without change rights attempted to modify their password (for example, during login or through the “change password” option), PWM would use the pwmproxy credentials to complete the password update successfully.

After upgrading to PWM version 2.0.8, this customization appears to be no longer possible, as the new version no longer contains the same directory structure where this modification used to be applied.

The current behavior is as follows:

  • The “Forgotten Password” flow works normally — the password is successfully changed.

  • However, when trying to “Change Password” after logging in, the user receives the following error:

           4006 PASSWORD_BADPASSWORD

I have already verified the password policy, and the minimum password age is set to 0 days, as confirmed in previous discussions.

I would like to know if there is any way, in version 2.0.8, to reproduce the same behavior from version 1.8.0 — that is, to allow the pwmproxy user to perform the password change on behalf of users who do not have permission to do so directly.

I appreciate any guidance or suggestions on how to handle this scenario in the newer version.

The code that was implemented is as follows:

Captura de tela 2025-10-09 165456.jpg

Kind regards,
Cleiton Mafioletti

Jason Rivard

unread,
Oct 9, 2025, 5:02:08 PM (12 days ago) Oct 9
to pwm-general
The setting your looking for is ' LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Use Proxy When Password Forgotten'.  This should be the default value when 'Default Settings ⇨ LDAP Vendor Default Settings' is set to AD.

Cleiton Mafioletti

unread,
Oct 13, 2025, 8:09:24 AM (9 days ago) Oct 13
to pwm-general
Hello Jason,

Recovering the password works ok:

Forgotten Password.jpg

But changing the password after already being logged in is where the error occurs:

Change Password.jpg



It is already set as per your guidance and exactly as it was in the previous version as you can see in the following messages:

LDAP Default.jpg
LDAP.jpg
I still have problems even though it is set correctly:

Error.jpg

Jason Rivard

unread,
Oct 13, 2025, 4:48:17 PM (8 days ago) Oct 13
to pwm-general
That error is coming from AD, and unfortunately, AD error messages are very non-specific so I can't tell what the cause is.  It's very likely some policy exception, the most common being minimum time between changes.  You will need to modify your group policy and PSO policies until you discover the cause.
Reply all
Reply to author
Forward
0 new messages