ESSO keeps prompting for authentication and Provisioning Gateway changes do not take effect after AD accounts are re-created

(Doc ID 1312378.1)

Last updated on AUGUST 04, 2016

Applies to:

Oracle Enterprise Single Sign-On Suite - Version and later
Information in this document applies to any platform.
This issue affects all versions of ESSO that are configured to use WinAuth V2 with passphrase suppression (using user SID). This can also be manifested by Provisioning Gateway instructions not propagating to these user accounts as well.


After re-creating AD accounts (delete the old account and re-create with the same userid) the user tries to access his ESSO wallet and ESSO will prompt the user to re-authenticate with his credentials. The credentials will not be accepted and instead the user will get a pop-up message stating: "ESSO-LM cannot initialize your password reset method". The Trace Controller will register the following event: "Cannot decrypt key with current SID and cannot find correct SID in history". Any instructions issued via the Provisioning Gateway will get stuck as "In progress". 


The trigger is a deletion and re-creating of the AD account without clearing the credential store. 


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms