Updating Windows cached credentials

When users in an AD environment log into their Windows machines from within the organizational network, their login details are saved in the local cache on their machines. This allows them to log in again with their Windows password even if they are away from the corporate network, as the credentials will be verified against their local cache instead of AD. However, if they forget their password or their cached password expires while users are not connected to the corporate network, they will neither be able to log in nor receive prompts to update their passwords. Even if their admin resets their password remotely, it will not get synced with the cache when the machine is away from the organizational network, and the users will be locked out.

ADSelfService Plus solves this by adding a Reset Password/Unlock Account link directly to the Windows login screen. To reset their passwords, users are required to click the link and prove their identity through any one of the enforced authentication methods, such as: Hardware and Software Tokens, Biometric Authentication, or Push Authentication. Once a user’s identity is successfully verified, they will be allowed to reset their forgotten or expired AD domain passwords.

Important:
  • The ADSelfService Plus Windows Login Agent is required for this feature to work. You can find steps to install the agent here.
  • Updating cached credentials is supported only for Windows.
  • Users must be enrolled in ADSelfService Plus to utilize the self-service password reset and self-service account unlock capabilities.
  • Enrollment is a one-time process where users enter their mobile number and email address, set answers to security questions, or provide other details in ADSelfService Plus in order to register for self-service password management. Learn how to enroll users.

Updating the local cached credentials on Windows machines can be achieved:

  1. Through a VPN client
  2. Without using a VPN

Updating cached credentials through a VPN client

The ADSelfService Plus login agent uses a command-line interface (CLI) to initiate a connection with the integrated VPN. Any VPN provider that supports a CLI with LocalSystem account privileges can be used for cached credentials update. These VPN CLI commands will be used by ADSelfService Plus to automatically connect to AD during the Password Reset and Cached Credential Update operations.

Supported VPN clients

Process flow

If Update cached credentials through a VPN client is enabled,

Cached Credentials Update - How it works
  1. The user's identity is verified through MFA, and the reset password request is sent to ADSelfService Plus, which updates the new password in AD.
  2. The new password is sent to the Windows Login Agent on the user's machine.
  3. The login agent automatically establishes a secure connection with AD through the VPN connection commands configured and initiates a request for updating the local cached credentials.
  4. The request is successfully approved by AD, and the cached credentials are automatically updated in the local cache on the user's Windows machine .

Configuring cached credential update through a VPN

Prerequisites

Configuration steps

  1. Log into ADSelfService Plus with administrator credentials.
  2. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del).
  3. Click Windows Cached Credential Update.
  4. Image depicting the list of supported VPN clients

  5. Set the toggle button to Enable Cached Credential Update.
  6. Select Update cached credentials through a VPN client.
  7. Select the VPN Provider from the drop-down list.
  8. Enter the VPN Hostname/IP address and VPN Port Number in their respective fields.
  9. In the VPN Client Path field, enter the full path to where the VPN client is installed on the users' machines. For example,
    C:\ProgramFiles\Fortinet\FortiClient\FortiClient.exe
  10. If you want to use a service account for VPN connections, select Enable VPN Access via a Service Account and enter the service acount's credentials.
  11. Here are the client locations for the VPN providers supported out of the box in ADSelfService Plus:

    • Cisco AnyConnect: C:\ Program Files (x86 )\Cisco\Cisco AnyConnect\vpncli.exe
    • SonicWall Global VPN: C:\Program Files (x86)\SonicWall\SonicWall Global VPN\swgvc.exe
    • Fortinet VPN: The appropriate version of the VPN client file (FortiSSLVPNClient.exe) must be downloaded from the Fortinet support portal and installed on users' machines. To download the VPN client file (FortiSSLVPNClient.exe), log into the Fortinet support portal and navigate to Firmware Downloads > FortiClient > select_your_VPN_version > FortinetClientTools.zip. Click on HTTPS to download the ZIP file. Unzip and extract the FortiSSLVPNClient.exe file (you can find it within the SSLVPNcmdline folder) to a location accessible to the ADSelfService Plus Windows Login Agent. The location where the FortiSSLVPNClient.exe file has been installed must be mentioned as the VPN Client Path. Example:
      C:\FortiClient\FortiSSLVPN\x86\FortiSSLVPNClient.exe
    • Check Point VPN: C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.exe
    • SonicWall NetExtender: C:\Program Files (x86)\Sonicwall\SSL-VPN\NetExtender\necli.exe
    • OpenVPN: C:\Program Files (x86)\Sophos\Sophos ssl client\bin\openvpn.exe
    • Cisco IPSec: C:\Program Files (x86)\Cisco\Cisco IPSec\vpnclient.exe

    The VPN client location has to be uniformly maintained on all user machines. If using a custom VPN provider, please contact your VPN provider's support team to know the name of the client used for command-line interface and mention its location as the client location.

    For Custom VPN, macros (%user_name%, %password%, etc.) can be used in the VPN Connect/Disconnect Command. (Note: The syntax for the VPN Connect/Disconnect Command varies depending on the VPN provider used.)

    Example: connect -s adsspvpn -h %servername%:%portno% -u %user_name%:%password%

  12. Click Save.

VPN provider-specific settings

These are settings specific to VPN providers that let admins have granular control over the VPN connections. The provider-specific settings for VPNs supported by ADSelfService Plus are outlined below.

Fortinet

Cisco Anyconnect VPN

Windows Native VPN

Open VPN

Note: After updating the new password in cache, the VPN will be disconnected and the temporary file will be deleted automatically, thus protecting the user account's credentials.

Custom VPN

VPN Macros available in ADSelfService Plus

Note: All sensitive information like the service account's credentials or the pre-shared key used for Windows Native VPN will be stored in the ADSelfService Plus database as an encrypted string, which will be sent to the Windows login agents dynamically when requested. It can be decrypted only by a valid Windows login agent.

The VPN connection established will be disconnected automatically after updating the cache with the new password, thus ensuring that the VPN connection is not misused to access any resource.

Updating cached credentials without a VPN client

Cached credentials can be updated without a VPN if your organization does not have VPN infrastructure or uses a VPN vendor not supported by ADSelfService Plus.

Process flow

If Update Cached Credentials without a VPN client is enabled,

Image depicting the cached credentials without a vpn process

  1. The user's identity is verified through MFA and the Reset Password request is sent to ADSelfService Plus, which updates the new password in AD.
  2. After the new password is updated in AD, the local cache on users' machines is automatically updated with the new password.

Configuration steps

  1. Log into ADSelfService Plus with administrator credentials.
  2. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del).
  3. Click Windows Cached Credential Update.
  4. Image depicting the cached credentials without a vpn configuration

  5. Set the toggle button to Enable Cached Credential Update
  6. Select Update cached credentials without a VPN client
  7. Click Save.

Note: If both options (updating Windows cached credentials through as well as without a VPN client) are enabled, an update using a VPN will be attempted first. In case that fails, update of the cached credentials will be attempted without a VPN.

Updating the cache without connecting to AD through a VPN might have a few limitations that affect how applications retrieve sensitive data using DPAPI. This includes applications that use passwords and form auto-completion data, such as Internet Explorer, Yandex, and Google Chrome, network passwords stored in the Credential Manager, and private keys for Encrypting File System (EFS), SSL/TLS in Internet Information Services.

For instance, passwords that are saved on the Chrome browser are stored and retrieved using DPAPI, which requires the client to have connected to AD while updating the cached password. If the cache is updated without a VPN connection to AD, Chrome will not be able to retrieve the stored user information until the machine next connects to AD.

We recommend that you choose the Update cached credentials without a VPN client option only if your organization does not have a VPN provider supported by ADSelfService Plus for cached credential update.

Updating Cached Credentials without a VPN is supported only on Windows servers running Windows Server 2008 R2 and later, and on Windows clients running Windows 7 and later.

Copyright © 2024, ZOHO Corp. All Rights Reserved.