Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
10
Replies

Session abort when editing user in ACS 5.6

Christian Faessler
Level 1
Level 1

‎11-12-2014 05:35 AM - edited ‎03-10-2019 10:10 PM

Since the upgrade to ACS 5.6 we are not able to edit user settings in the 'Internal User Identity Store' anymore.

As soon as we click the 'submit' button in the 'user edit screen' we are immediately kicked out of the application and we land on the ACS loggin screen with the message 'user logged out successfully'.

The same thing happens with Firefox, IE and Chrome.

What's going on?

4 people had this problem
Labels:
0 Helpful
10 Replies 10

Dominic Stalder (old profile)
Level 4
Level 4

‎11-12-2014 07:20 AM

Hi Christian

just as an information for other guys having the same problem. We saw, that when you migrated from ACS 5.x to 5.6 and you have users with () in some fields (e.g. additional information fields), you have to delete these brackets and you are able (in some cases) to edit and save the new user information.

But there are still some users where we click submit, but the changes aren't saved, but you are not logged out of the session. We will further investigate this issue.

Regards

Dominic

 

0 Helpful

Dominic Stalder (old profile)
Level 4
Level 4
In response to Dominic Stalder (old profile)

‎11-13-2014 06:19 AM

Another update: a workaround for the problem with the users, which can not be saved, is to change their passwords. After that you are able to save them again.

Even if theses users - migrated from an earlier ACS 5.x version - do not have any special characters in their passwords, they have a problem while editing the user settings. In my opinion, this seems to be a bug in ACS 5.6.

Regards

Dominic

0 Helpful

Christian Faessler
Level 1
Level 1
In response to Dominic Stalder (old profile)

‎11-26-2014 02:11 AM

The reason for this behavior is the minimum password lenght rule. During the upgrad it was reset to 8 characters instead of 6 characters as bevore. The affected users could not be edited anymore unless the rule was changed or the password was reset with 8 characters.

This is the answer from TAC:

'It seems that you have minimum length for password configured as 8 character. For 146 users password length is less than 8 chars which are already present in the DB. Because of this configuration, user details are not getting updated.

To solve this, you need to either change the password policy to allow shorter passwords (6 characters) or change all the passwords that are less than 8 chars to meet the required length.

MGMT GUI: System Administration -->Users --> Authentication Settings --> Password Complexity--> Minimum length'

0 Helpful

supercell2929
Level 1
Level 1
In response to Christian Faessler

‎04-07-2015 08:35 AM

This issue (getting logged out) occurs even when trying to create a new Identity Policy (Access Policies --> VPN Access --> Identity --> Create). I cannot create new accounts and I cannot edit existing accounts. It does let me delete accounts. Not sure what to do here. Any advice would be great.

0 Helpful

Christian Faessler
Level 1
Level 1
In response to supercell2929

‎04-17-2015 06:54 AM

Hello Ian

Make sure you respect the mininum characters rule for passwords that is set on your system.

0 Helpful

Dominic Stalder (old profile)
Level 4
Level 4
In response to supercell2929

‎05-20-2015 09:41 PM

Hi Ian

did you try to install patch version 3 for ACS 5.6? I saw the following resolved issues:

- CSCur59417 ACS 5.x apostrophe,plus sign causing gui log out
- CSCut55144 Special characters issue
 
Best regards
Dominic
0 Helpful

radics.tibor1974
Level 1
Level 1
In response to Christian Faessler

‎04-23-2015 11:43 PM

Hi all

we have this Problem also.
We have e Group name "MDE Geräte" (MDE devices) what contains a special character.
We can not change the group name, because after that we are facing with the issue 'user logged out successfully'.
The usernames can be chnaged, but 1000 or more is to much work.
Can we to change this policy so, that this special character can stay?

Thanks

 

0 Helpful

Christian Faessler
Level 1
Level 1
In response to radics.tibor1974

‎04-27-2015 08:03 AM

I didn't find a way to allow the forbidden special characters. According to Cisco it is for security reason.

0 Helpful

radics.tibor1974
Level 1
Level 1
In response to Christian Faessler

‎04-27-2015 11:22 PM

Thank you. I oppened a TAC.

0 Helpful

Christian Faessler
Level 1
Level 1

‎11-26-2014 02:04 AM

This is the answer from TAC regarding the situation with the session aborts:

'Regarding the issue with the user logout when attributes contain special characters, ACS is not allowing those chars to protect from vulnerable injection. So you should not have those characters in the fields.'

Conclusion: Do not use special characters like () in any field of the 'user edit screen'.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents