Password History not Working!

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Our team is facing challenges implementing password history. We have implemented password complexity in our AD environment and currently check for a number of previous used passwords. Our IQ service account does have more permission than what the documentation calls for due to the need to manage highly privileged accounts. Would that cause an issue with password history? Any help would be much appreciated.

Hi Austin,
Password History is OOTB and should work fine. Could you please let us know how have you configured your PassThrough Authentication ? Also Can you please go to Active Directory Source → Configuration → Additional Settings → Enforce Password Policy


We have enabled Enforce Password Policy and we are using our Active Directory domain for PTA.

@RAKGDS After doing some additional research, I’m still uncertain about the password history functionality. The Sailpoint documentation references setting both the “Change Password” and “Reset Password” feature. If you look at Active Directory documentation, Password Changes require the current password for the user versus Password Reset does not. End Users that utilize the Sailpoint IdentityNow password management feature never enter their current password. They pass the authentication requirements then enter a new password. From that point, IdentityNow treats this as an admin password change. If I am wrong, please let me know. Any help would be greatly appreciated.

Hi Austin,
Lets take the scenario case by case basics.

  1. Reset Password: This scenario is when the user has forgot his password and now coming into IdentityNow to do the reset of his AD password.
  2. Change Password: This scenario is when the user is authenticated into IdentityNow using his AD password and now trying to change his AD password.From IdentityNow prespective as you are alreday authenticated using your AD password it does not ask for the password again and allows you to change the password.

Let me know if you have any questions on the above explained scenarios. We have PTA implemented in our system and it works like a charm. If you are having issues with your PTA you might need to rasie a Sailpoint ticket to fix it.

Rakesh Bhati

@RAKGDS I’ve reached a dead end with support unfortunately. If the user is logging into IdentityNow via an IDP like Azure, how would that work for "Change Password
"? Furthermore, I’m not sure how IdentityNow is passing the secret used for login without an IDP for the password change. Those are two separate actions.

@RAKGDS Is it possible that if IDC/IDN is configured to use SSO and not Passthrough Authentication that users are going not against AD when logging in? IDC would not know the current password at that point.

Hi Austin,
Yes that can be configured. So IDN can be configured as a Service Provider. Please find below the link to configure the same.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.