Hi, i am currently dealing with a SAP password synchronization issue. There are several hints around that state, that password sync only works with SAP/R3 4.7, technet says that, too. In http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/b0efaf86-a749-4069-a089-d2ee04dff191 it is stated, that password reset functionality was removed in SAP ECC 5.0 and then added back in v7 as hotfix. The SAP I am using is Netweaver 7.02. The BAPI_USER_CHANGE function is exposed with several password related parameters (PASSWORD, PASSWORDX and PRODUCTIVE_PWD). The user.newPassword value is flowed to the parameter PASSWORD, but when resetting the user's password the following error message is logged: An unexpected error has occurred during a password set operation. "BAIL: MMS(5232): ma.cpp(373): 0x80040154 (Class not registered) BAIL: MMS(5232): ma.cpp(7624): 0x80040154 (Class not registered) BAIL: MMS(5232): ma.cpp(8073): 0x80040154 (Class not registered) Forefront Identity Manager 4.0.2592.0" Can anyone please clarify if password reset is supposed to work when the mentioned hotfix has been applied? Best regards Steffen

Steffen, I can't answer for that specific version of SAP. But, could you explain how you configured password change in the tool? Paul.Paul Loonen (Avanade) | MCM: Directory 2008 | MVP: ILM

I followed the instructions in the ERP MA help file: 1) add a new set password operation for object type "user" 2) add a new function for set password: select BAPI_USER_CHANGE and edit function parameter PASSWORD to flow user.newPassword to this parameter Afterwards the Add or Edit Operation Wizard lists the following: Functions for operations: setpassword Name BAPI_USER_CHANGE Parameter: PASSWORD Alias: user.newPassword isRef: True Definition: False Anyway, it looks that this is not a configuration issue and that password synchronization functionality can only be used with 32bit management agents if hotfix build 4.0.3576.2 has been applied. (see kb2502631) I'm going to verify this tomorrow. best regards Steffen

Okay, you need to be at least on build 4.0.3576.2 to make password management with 32bit management agents like the ERPMA work. To enable password synchronization with SAP Netweaver 7.0 the setpassword operation has to configured like that: Add BAPI_USER_CHANGE function and flow the following values into these parameters: BAPI_USER_CHANGE.USERNAME -> user.anchor as reference (IsRef=True) BAPI_USER_CHANGE.PASSWORD.BAPIPWD -> <randomly generated or static password as value> BAPI_USER_CHANGE.PASSWORDX.BAPIPWD -> "X" as value Add SUSR_USER_CHANGE_PASSWORD function and flow the following values into these parameters: SUSR_USER_CHANGE_PASSWORD.NEW_PASSWORD -> user.newPassword as reference (IsRef=True) SUSR_USER_CHANGE_PASSWORD.PASSWORD -> <randomly generated or static password as above> SUSR_USER_CHANGE_PASSWORD.BNAME -> user.anchor as reference (IsRef=True) Please note that you have to call two BAPIs to make this work. The first BAPI sets a new initial password which has to be changed the next time the user logs on. To circumvent this unwanted behaviour you have to call the second BAPI inside the setpassword operation to set a new permanent password. If you have to randomly generate a password for the intermediate step might depend on the security policies inside the SAP system. Please also note that the second BAPI obeys local SAP security policies regarding the password complexity. If setting the permanent password fails due to policy restrictions the user account might end up with the initial password set in the first step. SAP says that this way of setting a permanent password is not recommended due to security and reliability reasons.