403 Forbidden Error

Justin · February 17, 2021, 8:47am

Our users are reporting error when clicking on Trouble Logging In, we are using 8.4.3 version and recently 2 pega Security Hotfixes were applied by Pega Cloud.

Users are provided a OTP in email, user enters details on screen then chooses new password and confirms password. Then user gets the 403 error.

We have raised service ticket but nothing back from Pega on this at the moment, wondering if anyone else has similar issues and if so how to fix?

PoojaGadige · February 17, 2021, 11:47am

Hello @Justin

Could you please share the service ticket ID? I shall update the post to include it.

Thank you.

SergeyK0978 · November 15, 2021, 1:55pm

Hi Justin,

Did you fix that issue yourself or get a hotfix from Pega? We use 8.4.5 but getting the same error.

Sergey

Gunasekaran_Baskaran · November 15, 2021, 5:24pm

@SergeyK0978

C21 hotfix - should help you in getting fix for this issue..

Raise an SR with pega team and ask them to schedule a request for C21 hotfix installation.

JillMC · May 19, 2022, 4:55pm

@Gunasekaran_Baskaran

Hi, We are encountering the same for PEGA 8.5.6.

Upon clicking reset password, user will be redirected to 403 forbidden error.

Forbidden 403.zip (136 KB)

SrinivasP1728 · May 27, 2022, 5:38am

We are getting the same error in 8.6.2.

MarijeSchillern · May 27, 2022, 10:16am

@JillMC

Please make sure that you have installed the relevant hotfix for your v 8.5.6 version.

Pega Security Advisory - C21

Are you getting this issue *only * when trying to change password after enter the verification code, or in other scenarios?

Is your deployment on a Cloud instance?

If so the issue may be due to an incorrectly-set security rule in WAF (Web application Firewall) preventing pw changes.

See:

Troubleshoot your Application Load Balancers - Elastic Load Balancing

Solution:

In that scenario, please have the cloud team remove the security rule in WAF (Web application Firewall) for “Trouble logging in” functionality .

ie remove the PREFMManaged-Code-Security-pzChangeUserPassword from WAF which causes 403 error on forgot password functionality

If that does not resolve it, please log a Support Incident, and in the support ticket provide the below:

Network trace
Reproduce the issue again by enabling LogHttpRequest and provide security alerts and pegarules logs.

If there is no error in security alert and the logger LogHttpRequest does not log the change password url then my guess is load balancer is somehow blocking the request.

can you please confirm if you have any customized authentication in place?
Can you please confirm if you have the same issue for every access group?
Can you please confirm if you have done changes to the access groups before you saw this issue?

In the support incident remember to attach the logs from the issue’s timeline ( PegaRULES logs, security alerts, security events and alerts)

Please provide the incident ID here if you chose to log a support request for this. That will help us track your issue with you.

MarijeSchillern · August 26, 2022, 9:31am

@Justin I can see that on February 18th 2021 you agreed to close support ticket INC-163088 (Users unable to reset passwords with option “Trouble logging in)” based on the solution provided by the Cloud team.

Issue was related to A21 hotfix patching procedure.

Solution description: After installation of A21 hotfix, cloud team had to remove one blocking rule to re enable the functionality.

I will close this thread based on the support ticket resolution details provided here.

SergeyK0978 · November 16, 2021, 10:20am

@GunaSekaran_B as I can see it was already installed into our dev environment

MarijeSchillern · May 27, 2022, 10:09am

@SrinivasP1728 for your 8.6.2 issue the fix connected to C21 should be already in place.

Are you getting this issue *only * when trying to change password after enter the verification code, or in other scenarios?

----> Is your deployment on a Cloud instance?