Symantec Access Management

 View Only
  • 1.  Change password using smpwservices.fcc

    Posted Jun 13, 2016 10:35 AM

    Using Basic Password services,

    Developed a HTML form that does the POST (Old Password + NEW password + CONFIRM Password)to the smpwservices.fcc


    Can we bypass the Old password and only post the NEW and CONFIRM password.


    Idea is,

    When the user enter his credentials, Password policy is triggered and he is redirected to change password page.

    I don't want the user to enter his Current Password again in the change password form.

    I tried with a html form posting to smpwservices.fcc with out Current password and it doesn't worked.

    For valid authentication, Do we require both username + old_password? Is there a way to bypass the Old password in Change password page.






  • 2.  Re: Change password using smpwservices.fcc
    Best Answer

    Posted Jun 14, 2016 11:11 AM

    There is no way we should bypass the old password.


    It is a security check. Before the New Password is update. SiteMinder checks the authenticity of the user changing the password by authenticating the user using USERNAME and OLDPASSWORD. If the OLDPASSWORD matches for the USERNAME in the Identity Store only then SiteMinder updates the NewPassword.


    The User Enters his username and password in login page.

    The User enters his username and old password in change password page.

    These are 2 independent transactions. SiteMinder does not store the password on its side. So the application needs to store it securely and replay it after collecting the New Password. That's the only way I see this done.

  • 3.  Re: Change password using smpwservices.fcc

    Broadcom Employee
    Posted Jun 14, 2016 12:59 PM

    Right - for security reasons you should not bypass the old password, also SSO does not have the ability to do so

  • 4.  Re: Change password using smpwservices.fcc

    Posted Jun 14, 2016 02:29 PM

    Thanks  Dennis, For the valuable information.

    When the user enter the Wrong Old Password and follow the rules set in the password policy for changing the password.

    No error message is displayed to the user.

    Do we need to display this error manually by checking the password data or SMUSRMSG cookie will display this error.

    Remaining all errors are displayed appropriately by the SMUSRMSG cookie.

    Is there any registry entry that I need to set for this scenario to  display error message to the user.




  • 5.  Re: Change password using smpwservices.fcc

    Posted Jun 16, 2016 12:30 AM

    Hi Krishna,


    Please try following :


    Enable the DisallowForceLogin registry key, which is located at HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer.


    Redirects users to the Password Change Information screen to re-enter the current password when the change request contains an invalid current password.


    KeyType: REG_DWORD


    Value: 0 (disabled) or 1 (enabled)


    Default: 0 (disabled)



    Ujwol Shrestha

  • 6.  Re: Change password using smpwservices.fcc

    Posted Jun 20, 2016 07:34 PM

    Hi Krishna chaitanya dhanekula ,


    How did you go about this ?



  • 7.  Re: Change password using smpwservices.fcc

    Posted Jun 16, 2016 01:49 AM

    Hi Krishna,

    If you want to display error message,  you can make use of smpwservices.unauth which located same path as smpwservices.fcc. In smpwservices.fcc, specify the @smretries

    Specifies the maximum number of login attempts allowed.

    If user exceed the retry, it will redirect to smpwservices.unauth. You can customize smpwservices.unauth on the error message that you want to display.


    Hope this helps.



    Kar Meng