0 votes

Hi there,

we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password self service reset for Windows, which also changes the local cached domain password of the user on the Windows client. Unfortunately we are hitting an obstacle concerning our VPN software, which relies on a user certifate and username/password:

As I found out Windows is securing access to different kind of data through encrypting it with so called masterkeys. The encryption is done with the current user password, you can read that in detail here: https://support.microsoft.com/en-us/topic/bf374083-626f-3446-2a9d-3f6077723a60

So here is the problem: Once you change your domain password via Adaxes password self service those masterkeys get inaccessable and for domain-joined clients the builtin workflow would now contact the AD domain controller in order to get a backup key, create a new masterkey and encrypt them with the "new" password. Unfortunately the idea behind the self-service software is that there is no direct connection to the domain and in our case the VPN client, which could establish a connection to the AD, relies on the access to the user certificate and its private key. But the private key is not accessible because of the logic explained above. So at the end we have a Windows client where the user is able to login but can only establish VPN after he contacted the AD through another way e.g. beeing onsite or a secondary VPN client without certifcate authentication, which is both not favourable.

I think every function in this interaction works as exptected and there is no bug that I am reporting here. I just wanted to ask if anybody else had/has the same problem and maybe can report how they solved it.

Thanks in advance.

by (20 points)
0

Hello - Yes, we have found this an issue too, especailly with the rise of WFH.

1 Answer

0 votes
by (287k points)

Hello,

This is an expected behaviour and you are right that each software works exactly as expected. Unfortunately, there is no possibility to change this behavior. The only thing you can do is establish AD connection exactly as you mentioned.

Related questions

0 votes
1 answer

We need to know specifically for self service password management what level of access in AD do I specifically need.

asked May 9 by justinspring (20 points)
0 votes
1 answer

We have two on-prem domains; Domain A and Domain B. Domain A is our primary domain and syncs with Azure AD. Domain B contains accounts created for external ... user attempts to authenticate, they are only authenticating against the Domain B on-prem domain?

asked Apr 10 by awooten (80 points)
0 votes
0 answers

Good afternoon, As our environment has grown we are spending effort to build out security roles for different departments. I would like to grant the IT department access to ... to the "Configuration Objects" but that didn't get the necessary access Thanks!

asked Jun 28, 2016 by strikk (360 points)
0 votes
1 answer

would like to know the method to provide a button to security Q&A reset for enrolled users to Adaxes Admins via Web UI

asked Mar 21, 2023 by Vish539 (400 points)
0 votes
0 answers

Hi Evryone, I am trying to set up an external portal within a new webserver on dmz, and with only access to a webservice created from selfservice. The new webservice is only ... login, only reset password. What I am mising there that its not working? Thanks,

asked Nov 26, 2021 by yagoityd (20 points)
3,526 questions
3,217 answers
8,197 comments
547,625 users