Salesforce.com Password Changer
As of version 8.6, Secret Server supports password changing for Salesforce.com accounts under the Web User Account secret Template, by selecting the Salesforce Password Type under Remote Password Changing. In version 11.7.3, and Distributed Engine version 8.4.27.0, the standalone Salesforce secret template was added.
The Secret Server Web server's outbound IP Address must be added to the IP Address white list for your Saleforce.com organization. Please refer to the Salesforce.com documentation for instructions on how to set this up. See Restricting Login IP Ranges for Your Organization.
In cases where this is not set up correctly, you may see the follow error in the Remote Password Changing logs:
Login failed: LOGIN_MUST_USE_SECURITY_TOKEN: Invalid username, password, security token; or user locked out.
Please note:
-
Secret Server can only communicate to the following Salesforce default Login URLs: https://test.salesforce.com and https://login.salesforce.com.
-
Having the domain URL in the secret will not work and will throw this exception:
Login failed: INVALID_LOGIN: Invalid username, password, security token; or user locked out. Only those two URLs work. -
There are three required Salesforce configurations:
- Go to Setup > Administration > Users > Profile. Choose the user profile. Make sure that Enabled API is checked. This option is not available in all versions of Salesforce. Other versions will not have this enabled by default. Please see this "Enable API" not available article. If this setting is not enabled in Salesforce you will get one of these errors:
ERROR: Secret 'Salesforce Test' (Id = 1063) on Site 'EARTH' returned (LoginFailed). Exception: Login failed: API_DISABLED_FOR_ORG: API is not enabled for this OrganizationorPartner,System.Web.Services.Protocols.SoapException: API_DISABLED_FOR_ORG: API is not enabled for this Organization or Partner. - Configure network access and allowlist the distribute engine or Secret Server IP address. If this is internal, use the public IP address.
- Go to Setup > Company Settings > My Domain. Edit my domain settings and make sure that Prevent login from https://login.salesforce.com is unchecked.
- Go to Setup > Administration > Users > Profile. Choose the user profile. Make sure that Enabled API is checked. This option is not available in all versions of Salesforce. Other versions will not have this enabled by default. Please see this "Enable API" not available article. If this setting is not enabled in Salesforce you will get one of these errors:
