Reset S-user Password

[Eustacio Gadit]

Likemany people, I finally gave in and activated Universal ID because of the messages indicating this would become mandatory. I never did it before because I only have the one S-user account, so it was never a problem.

Specifically, Download Manager is still not compatible with UID, but if I try to logon with my S-user, it fails, and inevitably (after just one attempt) I get an email indicating that password logon has been locked out for an hour due to 5 attempts.

I understand that the workaround for this is to reset the password specific to the S-user (because it's apparently not the same as the UID password), but once UID is active, there doesn't seem to be a way to reset the password specific to the S-user.

I can get around the issue with downloading single items at a time through the web browser, but as a Basis administrator that isn't going to be very realistic next time I do a suite of dozens of support packages. I need to solve this.

The password reset facility does allow you to change the password for just a single S-user, but the language on the tool when you are doing so is confusing at best, as it implies that you are changing the password for your entire UID. However, you are not; you are only changing that S-user.

Net result, I can now (after about a three-hour wait for global systems to synchronize -- really, shouldn't a password change be a high-priority item to sync quickly?) logon to Download Manager again with the S-user (not email address) and the new password. However, logon to the support launchpad website (with UID e.g. email address) uses the old password (unless, of course, using the certificate-based SAP Passport).

I agree that Universal ID still, after many years, has growing pains. For instance, I used to be able to logon to the SAP Community with my certificate-based logon for my S-user, but that is now, as of this month, no longer possible. I haven't searched exhaustively to figure out if there's a way to use certificates with Universal ID logons the way that I still do for SAP for Me (previously, SAP Support Launchpad), but as of right now it seems to work with password-based logons only. That's a pain when I click the link on Notifications in SAP for Me for something happening in the Community (as I did for your response here).

So what I'm seeing is that Universal ID is not very universal; at least, not yet. And Download Manager continues to be one of the tools requiring a password-based logon that does not talk to Universal ID, so it becomes incumbent upon us all to make sure we're keeping track of that s-user password as well as the UID password, as they are not the same.

I'm not sure what password reset facility you refer to but the SAP (UID) Account Manager at allows you to reset the passwords of all linked accounts and the UID.

To reset a linked account's password click at the linked account in the accounts list and use the reset account password functionality at the account detail page.

How long the password reset takes to propagate to the Download Manager I do not know. But it should not take 3 hours.

Cheers,

Sebastian

If a user forgets the password for their managed Google account (for example, their Google Workspace or Cloud Identity account) or if you think their account has been compromised, you can reset their password from the Google Admin console.

Resetting a password changes it for the user's online accounts. If the user has Google Drive for desktop, the password doesn't change there. After resetting a user's password, you must reset the user's sign-in cookies.

So far I am able to allow users to change their password but only if they are authenticated or logged into the application.What I really need is for users to be able to get a link in an email. They can click this link and reset their password.

Example: Lets say a user forgets his or her password, they can visit a page which they can either enter security question and answer; or their email address on file. They will then get an email with a link to reset their password.

I can create the store procedure and the email using a String Builder but I do not know how to get the un-authenticated user to change password. Is there a way for the user to be Authenticated when they click the link. I am not sure how to even ask this.

I really would love to have the Security question as an option for the user to either verify by email or security question. If this is not possible, I'll have to create some kind of account number or userid (not membership user id) as an alternative.

My answer is not specific to Membership Provider, but hopefully will point you in the right direction. Typically the way to approach this is to generate a very long random string, called a token. You send them a link that includes this token as a parameter, something like:

You can use the sql table for token management. the token may be UserId or Email that are unique. the link used for reset email like =sfksdfh-24204_23h7823. The id in the url is encrypted Userid or Email as you like.

Microsoft Entra self-service password reset (SSPR) gives users the ability to change or reset their password, with no administrator or help desk involvement. If a user's account is locked or they forget their password, they can follow prompts to unblock themselves and get back to work. This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application. We recommend this video on how to enable and configure SSPR in Microsoft Entra ID.

This conceptual article explains to an administrator how self-service password reset works. If you're an end user already registered for self-service password reset and need to get back into your account, go to

A user can reset or change their password using the SSPR portal. They must first register their desired authentication methods. When a user accesses the SSPR portal, the Microsoft Entra platform considers the following factors:

After the SSPR portal is displayed in the required language, the user is prompted to enter a user ID and pass a captcha. Microsoft Entra ID now verifies that the user is able to use SSPR by doing the following checks:

SMTP relay services receive and process the email body, but don't store it. The body of the SSPR email that may potentially contain customer provided info isn't stored in the SMTP relay service logs. The logs only contain protocol metadata.

You can enable the option to require a user to complete the SSPR registration if they use modern authentication or web browser to sign in to any applications using Microsoft Entra ID. This workflow includes the following applications:

When you don't require registration, users aren't prompted during sign-in, but they can manually register. Users can either visit or select the Register for password reset link under the Profile tab in the Access Panel.

Users can dismiss the SSPR registration portal by selecting cancel or by closing the window. However, they're prompted to register each time they sign in until they complete their registration.

To make sure that authentication methods are correct when they're needed to reset or change their password, you can require users confirm their info registered information after a certain period of time. This option is only available if you enable the Require users to register when signing in option.

Valid values to prompt a user to confirm their registered methods are from 0 to 730 days. Setting this value to 0 means that users are never asked to confirm their authentication information. When using the combined registration experience users will be required to confirm their identity before reconfirming their information.

When a user is enabled for SSPR, they must register at least one authentication method. We highly recommend that you choose two or more authentication methods so that your users have more flexibility in case they're unable to access one method when they need it. For more information, see What are authentication methods?.

If a user doesn't register the minimum number of required methods, they see an error page when they try to use SSPR. They need to request that an administrator reset their password. For more information, see Change authentication methods.

When using a mobile app as a method for password reset, like Microsoft Authenticator, the following considerations apply if an organization hasn't migrated to the centralized Authentication methods policy:

Authenticator can't be selected as the only authentication method when only one method is required. Similarly, Authenticator and only one additional method can't be selected if you require two methods.

When configuring SSPR policies that include the Authenticator app as a method, at least one additional method should be selected when one method is required, and at least two additional methods should be selected when configuring two methods are required.

Changing the available authentication methods may also cause problems for users. If you change which authentication methods are available, users without the minimum amount of data available can't use SSPR.

If this option is set to Yes, users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are stored in Microsoft Entra ID. If no primary or alternate email address is defined SSPR will attempt email notification via the users User Principal Name (UPN). No one else is notified of the reset event.

If this option is set to Yes, then Global Administrators receive an email to their primary email address stored in Microsoft Entra ID. The email notifies them that another administrator has changed their password by using SSPR.

Microsoft Entra ID checks your current hybrid connectivity and provides messages in the Microsoft Entra admin center. For help with resolving possible errors, see Troubleshoot Microsoft Entra Connect.

3a8082e126