Fixing ISA password issues
Some/Most of this is now fixed (CRM 2007)
ISA is EXTREMELY annoying when it comes to password, they like to expire your password when you are in the middle of something, and the web based tool asking you for a new one often fails, and you might end-up with a broken administrator account and stuck !
Here we explain how to fix a locked/lost password Administrator account.
Notes
First make sure your /etc/hosts contains lines like those, otherwise you will get login errors even though login/password are fine
127.0.0.1 localhost localhost.localdomain
127.0.0.1 desktop desktop.mycomp.com
192.168.1.212 desktop desktop.mycomp.com
Make sure you have both 127.0.0.1 and your IP address(ex: 192.168.1.212) resolving to your hostname.
Otherwise Install/Upgrade will fail miserably (login errors) and it's VERY hard to track down !!
Step 1: Activating the SAP* rescue user
- Start the config tool and connect to default DB(local)
- Click the "Pen" icon (tooltip:"switch to configuation edit mode")
- Browse to cluster-data/server/cfg/services/
- Click the new "Pen" icon (tooltip: "Switch to edit mode")
- Double click on "Property sheet : com.sap.security.core.ume.service"
- Enable the SAP* account by editing those values:
ume.superadmin.activated : true
ume.superadmin.password: sompass
- (Re)Start j2ee (stopsap,startsap)
While the SAP* user is activated, all other users are deactivated. You can only log on with the SAP* user.
Step 2: Fixing broken accounts
- Start the web based UME tool: http:127.0.0.1:50100/useradmin and log as SAP*
If that does not work, you might have to fix other things in Visual admin first(logging as SAP*).
- One in theUME admin, press "Go" to search for all users, and select whichever user you need to fix (Ex: Administrator).
IF the user is only locked, but you know the password, just unlock it and don't change the password, this will be much less trouble.
- Click "unlock" if appropriate, and/or "generate new password".
- Click "Modify" then "Define initial password" and enter an initial password, then "Save"
Step 3: Turning off SAP*
- Start the config tool and connect to default DB(local)
- Click the "Pen" icon (tooltip:"switch to configuation edit mode")
- Browse to cluster-data/server/cfg/services/
- Click the new "Pen" icon (tooltip: "Switch to edit mode")
- Double click on "Property sheet : com.sap.security.core.ume.service"
- Select "ume.superadmin.activated" and click "restore default" (false)
you might also want to set/update those values so that your password won't lock/expire as easily:
ume.logon.security_policy.password_expire_days: 9000
ume.logon.security_policy.lock_after_invalid_attempts: 20
- When done don't forget to press the OK, then close the config tool.
- (Re)Start j2ee (stopsap,startsap)
STEP 4: Setting the new Administrator password
If you only had to unlock the admin password but not change the password, you can stop here.
- Start the admin tool and log as administrator with the initial password, it will ask for a new FINAL password. enter one. Then close visual administrator.
When changing the admin password, it does not update the one in the secure store, causing all kind of issues later, for example SDM won't work, so upgrading will fail etc.. So we need to update the secure store admin password as well !
- Start the config tool and connect to default DB(local)
- Click "secure store" and set the password for "admin/password/[SID]": to the "Final administrator password", then press "Add", then don't forget to press the "Save icon", then close the config tool.
- (Re)Start j2ee (stopsap,startsap)
Then go to http:127.0.0.1:50100/nwa/ (or visual administrator), and verify you can now log as administrator just fine - Enjoy .. Hopefully !
Comments
Add a new Comment