I wrote a change password module in xpages, instead of using the ?changepassword feature, and I was able to get the Admin Process for changing a password to work, and am able to change http passwords using an xpage and ssjs see the post here. The problem is that after the web user changes their http password, about 1 minute or less after the admin process performs the password change request, the user gets locked out of the server. The server displays the following error 14 times:
nHTTP: [email protected] [192.168.0.197] authentication failure using internet password
then, it displays the following message:
nHTTP: [email protected] [192.168.0.197] has just been locked out via internet password lockout: User is locked out
The server is set to use Single Server Session Authentication, most other settings are vanilla. It's setup to use a self-cert (for testing), lockout set to 15 tries. We also use the OAuth Token Store for FaceBook and LinkedIn authentication.
If I delete the lockout record and try to log back in, the server locks me out again right away, server console shows multiple tries even though I just tried to login once. If I delete the lockout record and switch to a different browser (foxfire or chrome) then I'm able to login fine. I'm assuming this is an authentication token problem, when I change my internet http password on the server the client doesn't get the updated information and when the client passes key info to the server it no longer matches and causes it to lock me out.
The dbname.nsf?changepassword feature with $$ChangePasswordForm works, and I will probably use it, but was hoping that if someone had seen this before they could give me a way to solve.
I think the key to the issue is in your comment
If I delete the lockout record and switch to a different browser (foxfire or chrome) then I'm able to login fine.
The problem I think is the user, after changing their password has an invalid token representing their authentication details in the cookie LTPAToken. In the response after successfully changing the password, use a setCookie call or some other method to invalidate/delete the cookie, and force the user to re-authenticate.