Problem: Passwordchange with “User has to change password on next login” not working

scheinig · August 7, 2025, 8:49am

Problem:

A user has to change his password on next login, login worked, but setting the password results in

Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an.
Authentication failed. Please log in again.

Investigation:

How does the passwordchange work in general:
The user logs in and this request goes to keycloak, the login tells keycloak that the password needs to be changed. Keycloak has an own extension (univention-ldap-mapper), and this extentions send the passwordchange request to the umc. The umc now uses the pam stack for the passowrd change. This is /etc/pam.d/univention-management-console
The password part should be executed. You can see that in the /var/log/auth.log, if you enable debug for the pam module the debug output is logged in journalctl.

So you can check the keycloak logfile univention-app logs keyclaok
keycloak log when it works:

2025-08-06 14:09:34,775 WARN [org.keycloak.events] (executor-thread-122) type=“UPDATE_PASSWORD_ERROR”, realmId=“ucs”, realmName=“ucs”, clientId=“https://test.schein.me/univention/saml/metadata”, userId=“f:daaa3127-e779-4c58-8e9a-62f8af2ddb9a:ben.utzer2”, ipAddress=“89.245.24.96”, error=“password_missing”, auth_method=“saml”, custom_req
uired_action=“UNIVENTION_UPDATE_PASSWORD”, response_type=“code”, redirect_uri=“https://test.schein.me/univention/saml/”, remember_me=“false”, code_id=“dd3b3772-2809-482
3-9d59-46849fe1c625”, response_mode=“query”, username=“ben.utzer2”

keycloak log when it does not work:

2025-08-06 14:23:34,495 WARN [org.keycloak.events] (executor-thread-1) type=“UPDATE_PASSWORD_ERROR”, realmId=“ucs”, realmName=“ucs”, clientId=“https://schein.me/univention/saml/metadata”,
userId=“f:daaa3127-e779-4c58-8e9a-62f8af2ddb9a:ben.utzer2”, ipAddress=“89.245.24.96”, error=“password_rejected”, reason=“Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an.”, auth_method=“saml”, custom_required_action=“UNIVENTION_UPDATE_PASSWORD”, response_type=“code”, redirect_uri=“https://schein.me/univention/saml/”, remember_me=“false”, code_id=“0d6eca9d-447e-4f26-aa6c-e335fe756517”, response_mode=“query”, username=“ben.utzer2”

You can also checke the /var/log/apache2/other_vhosts_access.log The difference is between a 200 and a 302.
When it works:

test-auth.schein.me:443 10.18.0.1 - - [06/Aug/2025:14:45:34 +0200] “POST /realms/ucs/login-actions/required-action?session_code=J3XE4j72zNEfXHn5bZ43eNTIH_IzZ9Q6qJbCGiLU
V2U&execution=UNIVENTION_UPDATE_PASSWORD&client_id=https%3A%2F%2Ftest.schein.me%2Funivention%2Fsaml%2Fmetadata&tab_id=rn3zl6H7URI&client_data=eyJydSI6Imh0dHBzOi8vdGVzdC5kbGxwLnNjaHVsZS91bml2ZW50aW9uL3NhbWwvIiwicm0iOiJwb3N0Iiwic3QiOiIvdW5pdmVudGlvbi9wb3J0YWwvIn0 HTTP/1.1” 302 4644 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36”
test-auth.schein.me:443 10.18.0.1 - - [06/Aug/2025:14:45:35 +0200] “GET /realms/ucs/login-actions/authenticate?client_id=https%3A%2F%2Ftest.schein.me%2Funivention%2Fs
aml%2Fmetadata&tab_id=rn3zl6H7URI&client_data=eyJydSI6Imh0dHBzOi8vdGVzdC5kbGxwLnNjaHVsZS91bml2ZW50aW9uL3NhbWwvIiwicm0iOiJwb3N0Iiwic3QiOiIvdW5pdmVudGlvbi9wb3J0YWwvIn0 HTTP/1.1” 200 3180 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36”
test-auth.schein.me:443 10.18.0.1 - - [06/Aug/2025:14:45:35 +0200] “GET /univention/meta.json HTTP/1.1” 304 468 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36”

When it does not work:

auth.schein.me:443 10.19.0.1 - - [06/Aug/2025:14:23:23 +0200] “GET /realms/ucs/login-actions/required-action?execution=UNIVENTION_UPDATE_PASSWORD&client_id=https%3A%2F%
2Fschein.me%2Funivention%2Fsaml%2Fmetadata&tab_id=v8a8kxhh1ao&client_data=eyJydSI6Imh0dHBzOi8vZGxscC5zY2h1bGUvdW5pdmVudGlvbi9zYW1sLyIsInJtIjoicG9zdCIsInN0IjoiL3VuaXZlbnRpb24vcG9ydGFsLyJ9 HTTP/1.1” 200 2832 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36”
auth.schein.me:443 10.19.0.1 - - [06/Aug/2025:14:23:23 +0200] “GET /univention/meta.json HTTP/1.1” 304 468 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTM
L, like Gecko) Chrome/139.0.0.0 Safari/537.36”
auth.schein.me:443 10.19.0.1 - - [06/Aug/2025:14:23:32 +0200] “POST /realms/ucs/login-actions/required-action?session_code=mLbxjT5nP0rjczzKxmQxpjYIj2vtvivrMJZMY473MBQ&e
xecution=UNIVENTION_UPDATE_PASSWORD&client_id=https%3A%2F%2Fschein.me%2Funivention%2Fsaml%2Fmetadata&tab_id=v8a8kxhh1ao&client_data=eyJydSI6Imh0dHBzOi8vZGxscC5zY2h1bGUvdW5pdmVudGlvbi9zYW1sLyIsInJtIjoicG9zdCIsInN0IjoiL3VuaXZlbnRpb24vcG9ydGFsLyJ9 HTTP/1.1” 200 6722 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36”
auth.schein.me:443 10.19.0.1 - - [06/Aug/2025:14:23:34 +0200] “GET /univention/meta.json HTTP/1.1” 304 468 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTM
L, like Gecko) Chrome/139.0.0.0 Safari/537.36”

You should check the /var/log/univention/management-console-server.log

06.08.25 16:03:26.099 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication failure’, 7)
06.08.25 16:03:26.099 AUTH ( ERROR ) : Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an.

If everything works fine until this point, you see this in the logfile

06.08.25 14:45:35.113 AUTH ( ERROR ) : PAM: authentication error: (‘Authentication token is no longer valid; new one required’, 12)

Possible other culprits could be the udm property passwordexpiry on the user and the passwordpolicy settings.

Solution:

In this case the PAM: authentication error: ('Authentication failure', 7) in the UMC log is a hint to restart the service.

systemctl restart univention-management-console-server.log