Product - CA IDM 12.6 SP 8
When a user is trying to change password in IDM, it shows this error:
Cause: Active Dir. Account 'some' on 'AD' modification failed: Connector Server Modify failed: code 53 (UNWILLING_TO_PERFORM): failed to modify entry: eTADSAccountName=some ,eTADSOrgUnitName=some,eTADSOrgUnitName=some,eTADSDirectoryName=AD,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@CM-WRG-: NOT IMPLEMENTED: JCS@CM-WRG-: JNDI: [LDAP: error code 53 - Unable to set Password Attribute: eTPassword Reason: Unwilling To Perform]: failed to modify eTADSAccountName=* Action: Reset password on user "*"
See here: Ldap Active directory change password Unwilling to perform Error 53
Basically the AD doesn't want to change the password as you are violating some rule it is configured to enforce: generally it is because the password doesn't match the password policy AD is enforcing.
I'd also recommend you to check if your SSL settings between AD and Provisioning Server are correct. Your AD must have a SSL certificate in place in order to enable the LDAP-S protocol, and the certificate must be trusted by Provisioning Server. The ActiveDirectory API does not allow password changes via LDAP without SSL.
We are facing this issue only for some of the users. Other users are able to complete "change my password" successfully.
Did you see David's reply? Did you find more on the AD password policies, are they indeed what prevents this to work?
Hi Sagi, I have checked my AD password policy and found to be similar with IDM password policy. Some of the users are able to change password successfully but some are failing to do so.
I am also facing the same issue , some of the users are able to change password successfully but some are failing .
Active Directory have native password policy rules which gets violate if you keep first name, last name or User ID as a part of password in IDM tasks. I suggest you to check if the user is violating AD's native password policy.