Updating cached password over VPNs

ADSelfService Plus can update local cached credentials stored in users’ machines so remote users can access their machines even if they forget their passwords. 

Cached Credentials Update - How it works

Fig 1: Image showing how a cached credential is updated by the login agent.

  1. ADSelfService Plus places a Reset Password/Account Unlock link on the login screen of Windows, macOS, and Linux machines to enable self-service password reset. Clicking this link will open the password self-service portal. 
  2. Users are required to prove their identity through any one of the enforced authentication methods, like SMS-based one-time passwords (OTPs), email-based OTPs, Google Authenticator, Duo Security, and RSA SecurID.
    Important:
    • Updating cached credentials over VPNs is supported only for Windows.
    • Users must be enrolled in ADSelfService Plus to utilize the self-service password reset and self-service account unlock capabilities.
    • Enrollment is a one-time process where users enter their mobile number and email address, set answers to security questions, and provide other details in ADSelfService Plus in order to register for self-service password management. Learn how to enroll users. 
  3. Once a user’s identity is successfully verified, they will be allowed to reset their forgotten AD domain passwords.     
  4. ADSelfService Plus resets the AD password and alerts the logon agent about the successful completion.
  5. The logon agent establishes a secure connection with AD through a VPN client and initiates a request for updating the local cached credentials.
  6. After the request is successfully approved by AD, the cached credentials are locally updated on the user's machine.
Supported VPN clients:
Configuration Steps:
  1. Navigate to Configuration → Administrative Tools → GINA/Mac/Linux(Ctrl+Alt+Del).
  2. Click Updating Cached Credentials over VPN.
  3. Select Enable VPN settings.
  4. Select the VPN Provider from the drop-down list.
  5. Enter the VPN HostName/IP address address and VPN port no in their respective fields.
  6. Enter the location where the VPN client (Example: C:\Program Files (x86)\Fortinet\FortiClient) is installed on the users' machines.
    7. Here are the client locations for the VPN providers supported out of the box in ADSelfService Plus:
    • Cisco AnyConnect: C:\Program Files (x86)\Cisco\Cisco AnyConnect\vpncli.exe
    • SonicWall Global VPN: C:\Program Files (x86)\SonicWall\SonicWall Global VPN\swgvc.exe
    • Fortinet VPN: The appropriate version of the VPN client file (fortisslvpnclient.exe) must be downloaded from the Fortinet support portal and installed on users' machines. The location where the FortiSSLVPNClient.exe file has been installed must be mentioned as the client location. Example: C:\FortiClient\FortiSSLVPN\x86\FortiSSLVPNClient.exe
    • Check Point VPN: C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.exe
    • SonicWall NetExtender: C:\Program Files (x86)\Sonicwall\SSL-VPN\NetExtender\necli.exe
    • OpenVPN: C:\Program Files (x86)\Sophos\Sophos ssl client\bin\openvpn.exe
    • Cisco IPsec: C:\Program Files (x86)\Cisco\Cisco IPSec\vpnclient.exe
    Note: The VPN client location has to be uniformly maintained on all user machines. If using a custom VPN provider, please contact your VPN provider's support team to know the name of the client used for command-line interface and mention its location as the client location.
  7. If you want to use a Service Account for VPN connections, select Enable VPN Access via a Service Account and enter the service account's credentials.
    8. Note: VPN connections are usually made with end-user accounts. You can use a service account for VPN connections if:
    • Your organization has mandated MFA for end-user VPN connections, or
    • Your organization uses a single account for multiple VPN connections.
    Please ensure that the VPN service account does not require MFA in order to connect to the VPN.

    Fig 2: Image depicting the list of supported VPN clients.

  8. For Custom VPN, macros (%user_name%, %password%, etc.) can be used in the VPN Connect/Disconnect Command. (Note: The syntax for the VPN Connect/Disconnect Command varies depending on the VPN provider used.)

    Example: connect -s adsspvpn -h %servername%:%portno% -u %user_name%:%password%
  9. Click Save.
Note: The VPN configurations will be reflected on the users’ machine either during the GINA/Mac/Linux client installation, or when the GINA/Mac/Linux scheduler runs.

Copyright © 2024, ZOHO Corp. All Rights Reserved.