Summary: This article contains step-by-step instructions on how to resolve an issue with miss-matched passwords used in the decryption of self-service user questions making Q&A reset inaccessible from Cayosoft Subscriber Servers. This issue does not impact the encryption of the user's secret answers.
Applies to: Cayosoft Administrator 6.1.0 or below
Security impact: LOW
Security impact details: Because user answers are stored using one-way encryption, this issue does not impact the security of user answers. Only questions selected by users are encrypted with the corrupted passwords on Subscribers making them potentially inaccessible on a subscriber server.
There is the issue in Cayosoft Administrator version 6.1.0 or below, with the Password to encrypt data in data setting in the Self-Service - Password Self-Service Enrollment Details rule when the replication group is configured.
This issue leads to the situation when a user might get an error message during the Self-Service Password Reset operation if this user enrolled to Self-Service on Subscriber, but performs reset the password operation on Publisher. Or vice versa.
The root cause of this issue is the corruption of the encryption password on the Subscriber as a result of replication rule execution. Then, a corrupted password is used on Subscriber to encrypt/decrypt user profile data.
In 6.1.1 the issue is fixed, so that password is not corrupted during replication.
However, the profile information of users who previously enrolled in Self-Service Password Reset on Subscriber has to be processed and encrypted with a proper password.
In 6.1.1 the new AD Users | Fix Replication Issue for Self-Service Enrollment (KB20190517-1) rule is introduced to process such user accounts after the upgrade.
Follow the procedure described below to process the user accounts that were impacted by the issue.
The issue occurs if all these conditions are met:
1. Cayosoft Administrator v.6.1.0 or below
2. A replication group is configured
3. Self-Service enrollment is configured
4. End users can connect to Cayosoft Administrator Services both on publisher and subscriber(s) for Self-Service enrollment and password reset.
Impact on end users
If a user enrolled to Self-Service on a Publisher and tries to reset his password on a subscriber or vice versa, the error message is displayed: The specified user has not enrolled in self-service.
1. Stop replication:
On each subscriber service navigate to HOME > RULES > Built-in Rules (Pre-configured) > Replication
In Enforce/Schedule section uncheck Enable
2. Set the password to encrypt self-service data in Active Directory manually:
On each subscriber navigate to Web Actions
Click Common > Self-Service - Password Self-Service Enrollment Details
In Action section in Password in Password to encrypt data in AD setting specify the password
3. If there are some configuration changes that have to be applied to all replication partners, then perform the change on the publisher, enable the replication rule, replicate all the changes, then repeat steps 1 and 2.
1. Upgrade to Cayosoft Administrator 6.1.1 or later required
2. After the upgrade create and run the rule AD Users | Fix Replication Issue for Self-Service Enrollment (KB20190517-1).