Online Tutorials & Training Materials |
Register Login

Expired passwords cannot be reset

08 Feb 2014 6:02 pm || 0

When you use one or both of the following profile parameters (password-based), logon attempts are rejected with the error message "Name or password is incorrect (repeat logon)" (00 152) or "The initial password has expired (request a new one)"(*) (00 182):

login/password_max_new_valid or

You usually (though not only) notice the error with users that are used for RFC communication or background processing.
Resetting the password using the administrator (SU01) does not solve the problem either; only by deleting and then creating the user again can you log on (temporarily).

(*) In systems with SAP_BASIS 4.6x, message 00 182 exists only in the language EN with an incorrect or misleading text ("At least three characters must be different in old/new code")

You are using a SAP system as of Release 4.6 (=> see Note 379081) and one of the two profile parameters

Technical cause
A date stamp is missing for the event "Password was changed", which is set both for password changes by the user (where the old password must be entered) and for password specification by the administrator (where the corresponding authorizations are required).
Currently, date stamps exist only for "User master record was created" and "last password change by user" (if this already occurred).

Unfortunately, the missing date stamp (=> new database field) cannot be delivered by a correction because a combined ABAP and kernel correction is required for this, in which case you must ensure that the kernel change is made before the ABAP change.
If you were to make the ABAP change before the kernel change, this would have the serious consequence that you would no longer be able to log on.

The problem affects (SAP_BASIS) Releases 4.6B, 4.6C, 4.6D, 6.10, 6.20 and is corrected as of Release 6.40.

The following combined correction is available only for 6.20:

Kernel 6.20 as of Patch number 1258 or
Kernel 6.40 (see Note 664679), and
SAP_BASIS Support Package 38 for 6.20 (requires the new kernel)

For the aforementioned reasons (strict dependencies between the kernel and ABAP correction), there is unfortunately no solution for Releases 4.6B, 4.6C, 4.6D and 6.10.

You must not use either parameter until you have implemented the solution.

Known restrictions
Even after you implement this correction (for Release 6.20) or if you use a system with Release 6.40 (SAP NetWeaver 2004), the profile parameter login/password_max_new_valid has no effect: even for new user accounts, the profile parameter login/password_max_reset_valid is analyzed instead.

As of SAP NetWeaver 2004s (ABAP Kernel 7.0) both profile parameters (login/password_max_new_valid and login/password_max_reset_valid) are replaced by one new profile parameter: login/password_max_idle_initial.
In addition, a further profile parameter is introduced that allows you to limit the validity period of unused productive passwords: login/password_max_idle_productive.
Further enhancements (as of SAP NetWeaver 2004s / ABAP Kernel 7.0) are described in Note 862989.