+ Start a Discussion
cesarcesar 

Password Never Expires - odd behavior

We have been experiencing odd behavior with the "Password Never Expires" capability on the profiles and I was wondering if anyone else has experienced the same.
 
We have integrations built that access SFDC through the API.  We created separate user accounts and profiles for these integrations.  The integration profiles have been marked as "API Only" and "Password Never Expires".  We want to preserve the password considering this is an integration account.
 
For our regular users (non integration) we have established the password policies with "password expires 90 days".  Therefore, users are forced to change their passwords every 90 days.
 
Our integration user accounts have been getting the following error when trying to login using our integration or any other api application, such as the data loader:
Web service callout failed: WebService returned ­a SOAP fault:
INVALID_OPERATION_WITH_EXPIRED_PASSWORD: The user’s password has expired, You must call
SetPassword before attempting any other API operations
Faultcode=sf: INVALID_OPERATION_WITH_EXPIRED_PASSWORD
 
Although this error is produced when attempting to login through the integration account -- if the login history is viewed for this specific user, the history displays the login as "Successful".  In addition, we reset the password on the integration user account and the integrations continue to work ... for approx. 90 days then the same thing happens.  The same behavior happens in our sandbox environment.
 
I have contacted SFDC support but they do not seem to know what is causing this issue and their recommendation is to reset the password so they can monitor that account and see if it happens again.  It seems to me that the password policies are not adhering to the "password never expires" on the "API Only" integration accounts.
 
Please let me know if anyone has experienced the same behavior or has any additional information regarding this issue.
 
Thank you

 

 

dawnzdydawnzdy

Yes, same error.

I just changed my password in Sandbox and updated it also in Eclipse. 

SrinuSrinu
Hi cesar/dawnzdy

we are experiencing same issue with our integration user eventhough "Password Never Expired" has enabled on profile level. and we have "API Enabled" on profile level. 

Question: We have User Password Expire in = "90 days" under Security Controls -> Password Policies. Does this should be selected to "Never Expries"?

Can you guys suggest us what should we take care to handle this password expiration after 90 days eventhough required permissions has provided?

Regards,
cesarcesar
Hello Srinu - for integraion users, you set the "Password Never Expires" directly on the profile.  On the profile in the System Permissions, there is a Password Never Expires setting.  You can set this for specific profiles ... no need to change the password policies.
SrinuSrinu
Hi cesar,

OK, I made this change. I have one more question: Does the profile setting must be set to never expire?
Profile->System->Password Policies should be changed to "Never Expires"?

Thanks,
Srinu.
cesarcesar
Hello Srinu.  Not sure what you mean.  

If you go to Profile->System->Password Never Expires ... check that for the profile where the api user is assigned. 

There is another area, Security Controls->Password Policies, you do not need to change this.
Ken  ChibaKen Chiba
Hi Cesar.

I'm late to the party... but I just experienced the same thing.  My org's default policy (Administration Setup -> Security Controls -> Password Policies) is set to have passwords expire in 90-days, but the "API only" user is assigned to a custom Profile that is set to never have passwords expire.

I can't speak to how you've done things on your Org, but I suspect it may be in the way I created the password (and security token) for the "API only" user (which I use for integrations).  Unsure of how I could obtain/create a security token for the integration user when creating a password, I had to temporarily switch the Profile of the user to a standard Salesforce.com Profile.  This allowed me to log in via web interface to change the password and have the security token emailed to me.  After setting completing this step, I switched the Profile for the integration user back to the "API only" Profile.

Here's my guess as to what's causing the issue: the standard Profile I had switched the user into when setting up the password, has the default "90-day expiry" password policy.  I'm guessing the API user retained this password policy when the password was set, even though the user was switched back to the "API only" Profile (that has a "password never expires" policy).  

I don't have a quick way to test this theory; suppose I could use a sandbox instance and create a password for a user in a Profile set to have passwords expire in 30-days, and switch the user over to a Profile with a non-expiring password policy (and see what happens in 30-days).

To attempt to get around this, I cloned a standard Salesforce.com Profile (that has web UI access) and set the password policy to "never expires".  I switched the integration user into this new custom Profile, logged into the user account, and set a new password (and received a new token).  I've then switched the user back into the "API only" profile.  Guess I'll find out in 90-days if my workaround was effective or not.

Good luck!
Keerthi PenumutchuKeerthi Penumutchu
Hi Ken,

I would assume that would the only way you could do it, None of my other accounts have problem, Maybe a particular API Callout causes the issue?

 
Ken  ChibaKen Chiba
Hi All,

Just an update: it has now been over 90-days (my Org's default password expiry timeframe), and my API only user's password still works.  To recap the problem:
  • Most Profiles in my Org are set to the Org's default password expiry policy of 90-days.
  • I have an API only (custom) Profile with the password setting set to "never expires".  However, in order to generate a security token, I had to temporarily change the API only User into another Profile in order to set a password through the UI.  The Profile I had temporarily moved the user into, had the 90-day password expiration policy.
  • I switched the API User back into the API only (custom) Profile (which has the no expiration policy).
  • The password expired after 90-days.
I didn't realize that password expiration follows the profile in which the password was set, even though it was moved to a profile where the password never expires (never saw it in the documentation from what I can recall).  So to work around this:
  • I created/cloned another UI-accessible Profile and set the password policy for that Profile to "never expires".
  • I switched the API only User into this custom profile in order to set the password via the UI (and receive the security token).
  • I switched the user back to the API only (custom) profile.
  • Password no longer expires after 90-days.
Hope that helps some others who have run into the same as I did.