0 votes

Hi there,

we are already successfully using the password self service via webinterface for our ad domain users. In addition to this are we in the testing phase of the password self service reset for Windows, which also changes the local cached domain password of the user on the Windows client. Unfortunately we are hitting an obstacle concerning our VPN software, which relies on a user certifate and username/password:

As I found out Windows is securing access to different kind of data through encrypting it with so called masterkeys. The encryption is done with the current user password, you can read that in detail here: https://support.microsoft.com/en-us/topic/bf374083-626f-3446-2a9d-3f6077723a60

So here is the problem: Once you change your domain password via Adaxes password self service those masterkeys get inaccessable and for domain-joined clients the builtin workflow would now contact the AD domain controller in order to get a backup key, create a new masterkey and encrypt them with the "new" password. Unfortunately the idea behind the self-service software is that there is no direct connection to the domain and in our case the VPN client, which could establish a connection to the AD, relies on the access to the user certificate and its private key. But the private key is not accessible because of the logic explained above. So at the end we have a Windows client where the user is able to login but can only establish VPN after he contacted the AD through another way e.g. beeing onsite or a secondary VPN client without certifcate authentication, which is both not favourable.

I think every function in this interaction works as exptected and there is no bug that I am reporting here. I just wanted to ask if anybody else had/has the same problem and maybe can report how they solved it.

Thanks in advance.

by (20 points)

1 Answer

0 votes
by (236k points)


This is an expected behaviour and you are right that each software works exactly as expected. Unfortunately, there is no possibility to change this behavior. The only thing you can do is establish AD connection exactly as you mentioned.

Related questions

0 votes
0 answers

Good afternoon, As our environment has grown we are spending effort to build out security roles for different departments. I would like to grant the IT department access to ... to the "Configuration Objects" but that didn't get the necessary access Thanks!

asked Jun 28, 2016 by strikk (360 points)
0 votes
0 answers

Hi Evryone, I am trying to set up an external portal within a new webserver on dmz, and with only access to a webservice created from selfservice. The new webservice is only ... login, only reset password. What I am mising there that its not working? Thanks,

asked Nov 26, 2021 by yagoityd (20 points)
0 votes
1 answer

Hello! We're using Duo for MFA on Windows 10 logins and understand this creates a new credential provider in Windows along side Adaxes' Password Self Service (PSS) credential ... 2FA with a Auth app or SMS code along with questions/answers. Thank you, Kyle

asked Feb 8, 2022 by KyleCascade (20 points)
0 votes
1 answer

Hi! In 2019.2 new feature was introduced to use Microsoft Authenticator to validate the password self-service. Is it possible to connect it to existing MFA in ... Authenticator - one company account and another one generated by Adaxes after enrollment. Thanks!

asked Oct 30, 2019 by Dmytro.Rudyi (900 points)
0 votes
2 answers

We have a few password self-service policies mostly using the Microsoft Authenticator app but certain users need to use Questions instead. We have a single user that, in the admin ... mode to make sure it is not a cache issue. Your help is greatly appreciated!

asked Dec 7, 2020 by mark.it.admin (2.1k points)
2,931 questions
2,647 answers
157,534 users