When signing into a Service Desk application (Console, Web Access, Workspaces) that has been set up to use the explicit logon type.
User will be unable to login via explicit login after you set the new Hash Algorithm, as now an SHA2 Hash is been expected but the old MD5 hash is still in place.
You cannot extract the original Password out of Hashes, so you will need to set a new deafult password for your users (e.g. via New password Hashes in 2017.1)
This is caused by the user's hash algorithm value not matching the database's hash algorithm value. This controls how the user's password is read from the database. This only affects the explicit logon type and will not have any effect on the options for Integrated, Shibboleth, Token, or Identity Server.
Solution / Workaround:
To correct this error any user's hash value that is not correct needs to match the database value. The attached script will read the database value and update any user's that are not set correctly.
declare @algorithm int = (select md_password_hash_algorithm from md_catalog)
update tps_password set tps_password_hash_algorithm = @algorithm
where tps_password_hash_algorithm <> @algorithm