The facts on self-service password reset and Active Directory cached credentials

Posted on by Lee Painter

Introduction

You have sent your army of road warriors out in the wilderness with Active Directory-connected laptops. What do you do when they forget their password? You use a self-service password reset solution, where the user logs onto a website and changes their AD password, and everything is just hunky dory…right?

Wrong. Because the next thing the user does is try to log in to their AD-connected laptop with the new password, and it fails.

Why Does It Fail?

When Windows is not within the domain environment, it caches the most recently used credentials so a user can log in. But the user just forgot that password and reset it to something new. But the self-service solution changed it on the domain via a web service, and the self-service solution did not inform the laptop about it. So the computer still expects the old credentials, which the user forgot.

Why Doesn’t Self-Service Update the Cached Credentials?

Firstly, the user most likely performed the password change in a browser on another machine or mobile phone. Secondly, even if it wanted to “tell” the laptop, there was no mechanism to change the cached credentials. No Microsoft API is available, even if the user performed the password change through a Credential Provider installed directly on the laptop.

The only way the laptop cached credentials will reset to the new password is when the computer can communicate with the Active Directory domain and the user logs in with their new password. Connecting to the domain allows the Windows logon subsystem to verify the new password and replace the cached credentials.

There is no other way to do this. I know because I tried. There are hacks and ways to use hidden Microsoft APIs, but the fact is, Microsoft does not want anyone to mess with cached credentials, and rightly so.

How Can I Solve this Problem?

The solution is straightforward. The user must connect to the domain to log into the laptop with their new credentials. You may have heard of a piece of software called a Virtual Private Network (this is more commonly known as a VPN). Make sure that the user has a VPN to log into the network BEFORE logging on to the computer.

Naturally, this needs a solution integrated into the Windows logon so the user can start the VPN before entering the password. Because it’s during the logon process where the magic happens and the cached credentials are updated.

LogonBox provides both components necessary to solve your cached credentials problems. LogonBox SSPR provides a self-service portal with flexible options for users to reset, unlock and manage their passwords.

The LogonBox VPN provides a virtual private network solution that users can start from the Windows logon screen. Integrating both solutions ensures that users always have access to their AD-connected laptops with the proper credentials.

With version 2.4.4 of the LogonBox platform, resetting cached credentials became even more accessible when purchasing our VPN and SSPR solutions. With an integrated VPN client, the Administrator can configure the LogonBox Credentials Provider to launch silently after a successful password reset operation. With no need to train your end users to start the VPN, it works in the natural flow of password changes.

Reset Your Password with LogonBox

After selecting the reset password option, there is an additional step which is to verify the user account.

There can be one or more authentication steps in order to do this, and a common option is in the form of a security question. The authentication method can change, but this is simply an example of a popular choice when it comes to password management and AD password resets. These are typically along the lines of “What was your mother’s maiden name?” or “What was the make of your first car?”.

After answering the security questions, and validating the user’s identity, the user can then provide a new password.

The password policy is taken from the connected user directory. However, it is also worth noting that for passwords in active directory, both default domain policy and further policies are all adhered to.

Once the user has entered their new password the job is completely done, and they will receive a notification that their password has been reset successfully.

Other Password Management Options

There are also a range of other methods to reset your password.

These range from 2FA (two-factor authentication) or MFA (multi-factor authentication), which can involve a code being sent to the user’s phone number or email address.

The benefits of having this installed are not just simply from a security point of view, but it also reduces help desk calls for the IT department, enabling them to get on with more pressing tasks rather than spending time resetting users’ passwords.

Get in Touch

So if you need any help with secure password management or to get active directory users and their computers connected again, LogonBox can help. Give us a call on +44 115 8713120 or drop us a message to learn more about how we can help you!