Change password operation in a failover environment

The password change operation during authentication can be adversely affected in a non-sticky load balancing environment. For example, a user receives the expired password form and completes the password change information required on the form. When sending the completed form, the load balancer connects to a different replica server. Because this new server is not aware of the previous contact with the original server, it prompts the user to log in. The user provides the old password and is again presented with the expired password form.

The change-password-auth stanza entry in the [acnt-mgt] stanza of the WebSEAL configuration file allows us to prevent additional login requests during change password operations. Setting change-password-auth = yes allows the new replica server to use the existing authentication information in the change password request (user name, original password, and new password) to authenticate the user and change the user's password.

To enable this controlled change password operation in a failover environment, set:

For compatibility with versions of WebSEAL prior to version 6.0, the default setting is "no".

Parent topic: Failover solutions

Related concepts