Archive for the 'PeoplePassword' Category

Active Directory management built for MSPs

Published October 3, 2011 Active Directory , Microsoft Active Directory , PeoplePassword , PeopleProvision , PeopleSearch & PeopleUpdate Leave a Comment
Tags: , , , , ,

We have been getting a ton of traffic lately from MSPs that are becoming more and more frustrated with managing data and accounts in Active Directory and the operational costs associated with this menial task. Most of the administrators have been toying with the idea of actually creating their own web applications to delegate out to their customers, but cannot find the time.

The MSPs that do eventually break down and start looking for existing tools find them to be very complicated for their needs and are priced to meet enterprise needs and not theirs (a per-user model).

We have been hit over the head too many times to not make an attempt to satisfy MSP’s needs, so WebAD is now providing tools specific to the MSP market and priced at a low fixed monthly rate.

Call us to learn more about this offering for MSPs and let us show how we can meet the needs of Active Directory account and data management and meet your pricing expectations. You may also ask us how some MSPs are actually turning our tools into a revenue source as well!

Call me at +1 (800)747-3565 or email me at Steve.denney@webactivedirectory.com for more information.

Windows Active Directory Cached User Credentials

Published June 9, 2011 Active Directory , Active Directory Users and Computers (ADUC) , Microsoft , Microsoft Active Directory , PeoplePassword Comments
Tags: , , , , , ,

We get questions about Active Directory credential caching quite often from customers and prospects. Since we provide Active Directory solutions, it would make sense that we have insight into AD credentials caching in Windows but the caching mechanism is actually a function of the client and not the server. We take a closer look at some best practices to avoid account lockout issues when cached credentials and AD credentials become out of sync.

Understanding cached credentials is particularly important when working with remote users in a SSPR (self-service password reset) scenario. Basically, this scenario—supported with solutions like Web Active Directory’s PeoplePassword product—occurs when users who don’t regularly log directly into a domain and authenticate against a domain controller forget their Windows password. This includes VPN-connected users as well as users who take advantage of resources like portals that store user credentials in AD. The important part here is that the user is not authenticating directly against a Windows domain controller for authentication. An SSPR solution allows the AD credentials to be reset but does nothing to affect the cached credentials on the client machine.

Windows Credential Caching

SSPR solutions typically allow a user to easily reset her Active Directory password. This is great when a user is authenticating directly against a domain controller but not so good when a user, especially a remote user, is logging onto a machine or a VPN connection using Windows cached credentials.

What are Cached Credentials?

Cached credentials allow a user to access machine resources when a domain controller is unavailable.

After a successful domain logon, a form of the logon information is cached. Later, a user can log on to the computer by using the domain account, even if the domain controller that authenticated the user is unavailable. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, suppose a mobile user uses a domain account to log on to a laptop that is joined to a domain. Then, the user takes the laptop to a location where the domain is unavailable. In this scenario, Windows uses the cached credentials from the last logon to log the user on locally and to allocate access to local computer resources.

-From http://support.microsoft.com/kb/913485

What is the Issue with Cached Credentials?

So cached credentials allow users to access a machine even when no DC is available to authenticate the user. Great! And since AD passwords generally only change every 30-90 days this is a fantastic method to provide a great user experience in a highly mobile environment. That is, until the AD credentials and the cached credentials become out of sync. Then all kinds of problems can occur when a user tries to access domain resources and the main problem is repeated account lockouts because the Windows client is passing invalid cached credentials to a domain controller.

What’s the Best Way to Handle Credential Synchronization Issues?

First and foremost, it’s not possible to reset cached credentials when an AD password is reset. Yes, this sounds like a bummer but it’s actually a good thing. Check out the following excerpt for an explanation.

Security of cached domain credentials

The term cached credentials does not accurately describe how Windows caches logon information for domain logons. In Windows 2000 and in later versions of Windows, the username and password are not cached. Instead, the system stores an encrypted verifier of the password. This verifier is a salted MD4 hash that is computed two times. The double computation effectively makes the verifier a hash of the hash of the user password. This behavior is unlike the behavior of Microsoft Windows NT 4.0 and earlier versions of Windows NT. 

If an attacker tries to conduct a cryptanalytic attack on the verifier, this encryption has two consequences:

  • A precompiled table must be created for each salt.
  • The verifier cannot be used to log on anywhere else.

From http://support.microsoft.com/kb/913485

This is good. It means that an attacker cannot compromise AD credentials from a client machine by looking at the “cached credentials” since credentials really aren’t cached and only a hash of the password is cached. We like these kinds of things as a security-minded society.

What Tools Can I Use to Reset Cached Credentials?

But what happens if I am a trusted system like Active Directory or an SSPR product and I want to reset the cached credentials to match AD credentials? Microsoft tells it best.

Important

There are no tools or utilities from Microsoft to update cached credentials. This is by design. Only cached validated domain logons are stored as cached credentials.

From http://support.microsoft.com/kb/818088

So there are no tools from Microsoft to do this. I also know I have never seen any reputable commercial tools and I can pretty much guarantee there aren’t going to be any because of the nature of the security issue here. Sure, there are probably hacker tools out there to attempt to do this but you probably don’t want to deploy these from your enterprise’s IT shop. So the core issue still exists: how to prevent account lockouts for remote clients when the AD password is changed and the local cached credentials are not changed.

Best Practices and User Education to the Rescue

The final solution in this scenario is to ensure that your users are properly educated about how to log on to their computer or over VPN after changing or resetting an AD password. In PeoplePassword, you can customize the page that displays after users change or reset their AD password and tell the user the best ways to log on after the change or reset. There are two options to consider here based upon whether a user is actively connected to an AD domain or not.

Note (Posted on August 15, 2011 and many thanks to Christopher Lowde for the insight): With both options, the best practice to force a refresh of the local password cache is to lock and unlock your screen. After resetting or changing an AD password, immediately lock and unlock the screen with the new password to update the local cache. This is an easy method to convey to your users and it’s easy to describe the Ctrl + Alt + Del sequence since users are already familiar with the key sequence and process.

Option 1: Log on Without Automatically Using Windows Name and Password (Users Not Connected to a Domain)

Have your non-domain-connected users uncheck the Automatically use my Windows logon name and password option in the default Windows logon screen. This will reset cached credentials to the newly-changed AD password.

Problem: You cannot log on after you correctly change your logon credentials

This problem occurs because the new domain password is not synchronized with the password of the cached credentials. When you log off and then log on again without a network connection to the domain, you cannot access the workstation. If you turn off the Automatically use my Windows logon name and password option, the changed domain password is synchronized with the cached credentials. Therefore, you can log on.

From http://support.microsoft.com/kb/829652

Check out the Microsoft Knowledge Base article entitled Configure identity authentication and data encryption settings for setting more options with automatic logon credentials.

Option 2: Log On to the Domain with a New Password (Domain-connected Users)

Use this option for domain-connected users who can authenticate against a domain controller.

Problem: You cannot log on to a computer that is using cached credentials after you change your password by using a domain controller

When you successfully log on to a domain with a domain user account, your domain logon credentials are cached locally on your computer. If you then disconnect that computer from the network and log on, you are logged on with the cached credentials for the domain. 

When you log on to the domain and are prompted to change your password, your cached domain logon credentials are not updated until you successfully log on to the domain with the new password. After you have successfully logged on to the domain with the new password, your cached domain credentials are updated, and you can then log on to the computer when you are disconnected from the domain.

From http://support.microsoft.com/kb/818088

Conclusion

AD password and cached credential password synchronization can cause Windows account lockouts and other problems for remotely-connected domain users. Comment and let us know your best practices when dealing with the synchronization situation in your Active Directory environment.

Manage Windows Active Directory Passwords for a Distributed Workforce

Published February 8, 2011 Active Directory Password , Microsoft Active Directory , PeopleMinder , PeoplePassword , Uncategorized Leave a Comment
Tags: , , , , , ,

In times past every worker in your enterprise had to use a locally-connected computer to log in to the Windows network and authenticate against Active Directory. Recently we’ve moved past this antiquity to using connections over VPN or even the open Internet to log into our Windows environment.

What does this mean for your Windows and Active Directory passwords? How do users know it’s time to change their expiring passwords? What if your users are not notified that their passwords are expiring because they never log in to a domain computer? Are you producing more help desk calls by having a distributed workforce?

There is an answer to help your users manage their passwords. Web Active Directory offers solutions that cater to sending password expiration reminders using email as well as allowing users to reset Windows passwords without having to connect to the domain. These solutions let you manage your domain for your internal network needs while still serving your external users.

Check out PeoplePassword to allow users to change their password and look at PeopleMinder to help remind users that their Windows password will expire soon…even if the users never log into your Windows network! You will engage your off-site users and decrease your help desk calls.

Web Active Directory released new pricing for its Suite of Active Directory Management solutions

Published January 25, 2011 Microsoft Active Directory , PeopleMinder , PeoplePassword , PeopleSearch & PeopleUpdate Leave a Comment
Tags: , , , , , ,

If you have been to our website in the last few months, you will have noticed that we started publishing the pricing for our solutions.  Since that time, we have taken many steps towards making it easier for enterprises of all sizes to evaluate, implement and purchase our Active Directory solutions.

In another step toward that goal, we published a new, and much simpler per-user pricing model that includes monthly subscription pricing.  We feel the subscription pricing will enable our small to medium-sized enterprise customers the ability to purchase our award-winning solutions without the large outlay of cash.  In addition to the new subscription pricing, we have added an unlimited site license for enterprises on the other end of the spectrum.  This way very large enterprises can purchase a perpetual license and never have to worry about “truing” up every year on the number of seats, or users they have added or removed.

Very simple and very different.

We would love to hear your feedback on the new pricing model and we look forward to working with you!

For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565

Top 3 issues with Identity Management and Active Directory

Published October 20, 2010 Active Directory Password , Active Directory Updates , Microsoft Active Directory , PeoplePassword , PeopleSearch & PeopleUpdate Leave a Comment
Tags: , , , , , , , , ,

Web Active Directory has been in the identity management business for over 6 years now and the one thing that we have learned in that time is that there are three critical areas that solutions such as ours need to adhere to, they are:

  1. Security
  2. Security
  3. Security

We hear you loud and clear.  That is why we have built our solutions, PeoplePassword and PeopleUpdate to securely delegate repetitive and costly tasks to end users and business owners.  However, we have not stopped there.  Coming soon, is our new and improved role-based access control (RBAC) on a new, robust platform that will enable customized RBAC for searching, updating, and provisioning of Active Directory objects.  Additionally, we have added the powerful Microsoft Windows Workflow 4 and PowerShell 2.0 to completely automate and customize the business process rules around the way you do business.  No longer will you have to conform your business process to the software, but rather make the software work with your business process.  What a concept – eh!

To learn more about the new platform and when it will be available, or to sign up for our beta program, fill out the following form and we will put you on our notification list. 

In the meantime, please visit our website at www.webactivedirectory.com, or call us toll free at +1-800-747-3565

Auto Enrollment for Windows Self-Service Password Reset

Published September 25, 2010 Active Directory Password , Microsoft , PeoplePassword , Windows Server 2008 Leave a Comment
Tags: , , , , ,

When we first launched our self-service password reset solution, PeoplePassword, One of the questions we recieved early on was how our customers could use their own HR or student database to pre-enroll their users.  This would enable them to auto enroll users with questions and answers that they would know based on their own personal information such as DOB, employee, or student number, ect.

We are pleased to announce that our engineers came up with exactly that, a data import utility that can use your existing data to pre-enroll users.  This is available to all of our existing PeoplePassword customers, or as an add-on feature for our new customers.  Please let us know if you would like to see a live demo of PeoplePassword and if this new utility would help your organization deploy a self-service password reset tool more efficiently.

For more information contact us at www.webactivedirectory.com, or call us at (+1) 800-747-3565

Active Directory Password Expiration Notification

Published February 19, 2010 Active Directory Password , Microsoft Active Directory , PeoplePassword Leave a Comment
Tags: , , , ,

I’ve been in organizations where employees worked remotely either on their own computers or only connected over VPN connections periodically.  I’ve also been a consultant and used my own laptop on a corporate domain and not had my laptop as a member of the domain.  The problem with these users (and I’ve been one) is that they never receive notification that their password is going to expire, then inevitably the password expires and the only way to get back in to the domain is to call the helpdesk and have the password set (can’t use reset password when users are coming in via VPN).  Now there are a couple ways to deal with this.

  • Use PeoplePassword to allow end users to have self service password reset so they can fix their own password issues when they occur
  • Use PeoplePassword and PeopleMinder to send users email notification that their password is going to expire prior to it actually expiring and allow users to change their password prior

Contact Web Active Directory LLC and let us know how we can help.

www.webactivedirectory.com

Web Active Directory is at the Texas Computer Education Association (TCEA) 2010

Published February 10, 2010 Microsoft Active Directory , PeoplePassword , PeopleSearch & PeopleUpdate Leave a Comment
Tags: , ,

We are at booth 206 of the 2010 TCEA show in Austin, Texas.  Please come by and see a demo of PeopleUpdate and PeoplePassword as we show the Texas Educational world that there is an easier way to manage their Active Directory. 

  • Update Active Directory information
  • Self Service Password reset
  • Active Directory reporting
  • Active Directory Group Management

Come see us at booth 206.  We will be here until Friday!

www.webactivedirectory.com

Slipstick Systems Outlook and Exchange Solutions Center
Utilities, how to's and other solutions for Microsoft Outlook and Microsoft Exchange users, administrators and developers

Share this blog

Facebook Twitter More...

Enter your email address to subscribe to WebActiveDirectory blog via email.

Join 243 other followers

Web Active Directory Products

Download PDF product data sheets:
Follow

Get every new post delivered to your Inbox.

Join 243 other followers