The facts on self-service password reset and Active Directory cached credentials

Introduction

You have sent your army of road warriors out in the wilderness with Active Directory-connected laptops. What do you do when they forget their password? You use a self-service password reset solution where the user logs onto a website and changes their AD password, and everything is just hunky dory… right?

Wrong. Because the next thing the user does is try to log in to their AD-connected laptop with the new password, and it fails.

Why does it fail?

When Windows is not within the domain environment, it caches the most recently used credentials so a user can log in. But the user just forgot that password and reset it to something new. But the self-service solution changed it on the domain via a web service, and the self-service solution did not inform the laptop about it. So the computer still expects the old credentials, which the user forgot.

Why doesn’t self-service update the cached credentials?

Firstly, the user most likely performed the password change in a browser on another machine or mobile phone. Secondly, even if it wanted to “tell” the laptop, there was no mechanism to change the cached credentials. No Microsoft API is available, even if the user performed the password change through a Credential Provider installed directly on the laptop.

The only way the laptop cached credentials will reset to the new password is when the computer can communicate with the Active Directory domain and the user logs in with their new password. Connecting to the domain allows the Windows logon subsystem to verify the new password and replace the cached credentials.

There is no other way to do this. I know because I tried. There are hacks and ways to use hidden Microsoft APIs, but the fact is, Microsoft does not want anyone to mess with cached credentials, and rightly so.

So how can I solve this problem?

The solution is straightforward. The user must connect to the domain to log into the laptop with their new credentials. You may have heard of a piece of software called a Virtual Private Network; make sure the user has a VPN to log into the network BEFORE logging on to the computer.

Naturally, this needs a solution integrated into the Windows logon so the user can start the VPN before entering the password. Because it’s during the logon process where the magic happens and the cached credentials are updated.

LogonBox provides both components necessary to solve your cached credentials problems. LogonBox SSPR provides a self-service portal with flexible options for users to reset their passwords. And the LogonBox VPN provides a Virtual Private Network solution that the user can start from the Windows logon screen. Integrating both solutions ensures that users always have access to their AD-connected laptops with the right credentials.

So if you need a way to securely manage passwords and get your road warriors connected with their AD-connected laptops again, LogonBox can help. Call us today to learn more about how we can help you!