Pricing  Get Quote
 
 

How to configure and troubleshoot the cached credentials update feature

ManageEngine ADSelfService Plus' cached credentials update feature helps remote users reset their domain password from their login screens using the self-service password reset feature, and regain access to their Windows machines from outside the domain network. The feature employs a VPN to achieve this. This webpage elaborates on enabling the cached credentials update feature in ADSelfService Plus for four different VPN providers: Fortinet, Cisco IPSec, Cisco AnyConnect, and Windows Native VPN.

Note: If your VPN is protected with MFA, accessibility to the cached credentials update feature can change based on the authentication methods used. Here are the possible scenarios:
  • When MFA for VPN uses one-way authentication methods, like biometrics and push notification, users will be asked to authenticate using the configured methods after password reset. Once authentication is successful, the cached credentials update will be initiated.
  • When MFA for VPN uses challenge-based authentication methods, such as TOTP using Google Authenticator, the cached credentials update may not function. In this case, please reach out to the ADSelfService Plus support team for additional assistance in enabling the feature.

Prerequisite

To enable the cached credentials update for client machines, ADSelfService Plus must be hosted online and be accessible through the internet. Refer to this guide for step-by-step instructions on how to host your ADSelfService Plus instance online.

Step 1: Configure the cached credentials update

  1. Navigate to Configuration → Administrative Tools → GINA/Mac/Linux(Ctrl+Alt+Del).
  2. Click Updating Cached Credentials over VPN.
  3. Select Enable VPN settings.
  4. Select your VPN provider (Fortinet, Cisco IPSec, Cisco AnyConnect, or Windows Native VPN) from the drop-down list.
  5. Enter the VPN HostName/IP address and VPN port number in their respective fields.
  6. In case Fortinet, Cisco IPSec, or Cisco AnyConnect is used, enter the VPN Client Location along with the client file name. Here are the default locations of the VPN client files for the three providers:
    • Fortinet:

      C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNclient.exe

    • Cisco IPSec:

      C:\Program Files (x86)\Cisco\Cisco IPSec\vpnclient.exe

    • Cisco AnyConnect:

      C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe

    Note: FortiSSLVPNclient.exe will not be available by default when FortiClient is installed in the client machine. It must be downloaded from the Fortinet support portal using your business account:
    • Login into https://support.fortinet.com/welcome/#/.
    • Navigate to Firmware Images > Download.
    • Select FortiClient.
    • Navigate to your FortiClient version installed on your client machines and download FortiClientTools_xxxxx.zip by clicking the link.
    • Extract the ZIP file which contains an SSL VPN Client command line that holds the FortiSSLVPNClient.exe file and three dependent dynamic link library (DLL) files.
    • Paste this EXE file and the three DLL files inside C:\Program Files (x86)\Fortinet\FortiClient in all the client machines.
  7. Click Save.

How to configure and troubleshoot the cached credentials update feature

Step 2: Install the ADSelfService Plus login agent in client machines

To enable the cached credentials update in client machines, the ADSelfService Plus login agent must be installed on them. Upon installation, the login agent places the self-service password reset option on the machine's login screen, and enables the cached credentials update functionality. During subsequent self-service password reset attempts, the login agent sends the authentication information and new credentials to the ADSelfService Plus server, which in turn sends it to AD. Once the authentication and password reset is approved, AD relays the new password back to the client machine via the VPN and the machine's cached credentials are updated.

The login agent can be installed through the product portal, manually, via GPO, via Microsoft System Center Configuration Manager, and using third-party software. Here, we will be going through installation via the product portal.

Important: If the login agent was already installed in client machines before configuring the cached credentials update, this feature will be enabled for the client machines only if the GINA Customization Scheduler acts on them, or if the login agent is reinstalled.

ADSelfService Plus login agent installation via product portal

  1. In the ADSelfService Plus web portal, go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux installation.
  2. Click New Installation.
  3. Select a domain, and then the computers (on which you want to install the login agent).
  4. Click Install.

How to configure and troubleshoot the cached credentials update feature

GINA Customization Scheduler configuration

  1. Navigate to the Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
  2. Click GINA/Mac/Linux Schedulers.
  3. Click on the edit icon ().

    How to configure and troubleshoot the cached credentials update feature

  4. In the window that opens, select the domain, OUs, or groups for which you want to deploy the client software.
  5. Set the Schedule Time and configure the Notification Frequency as daily, weekly, monthly, or hourly.

    How to configure and troubleshoot the cached credentials update feature

  6. Click Save.

ADSelfService Plus login agent reinstallation

  1. In the ADSelfService Plus web portal, go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux installation.
  2. Go to Installed Machines.
  3. Select the computers on which the login agent is installed.
  4. Click Reinstall.

How to configure and troubleshoot the cached credentials update feature

Troubleshooting

If the cached credentials are not updated for any client machine during self-service password reset after the feature is enabled, ensure the following:

  1. The login agent is installed on the client machine.
  2. The following registry entries are correctly updated after manual installation of the login agent:

    Go to HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus Client Software and ensure that the following registry entries are present:

    • IsTPVPNEnabled: The value must be t for all VPN providers except Windows Native VPN.
    • IsVPNEnabled: Value must be "t".
    • VPNClientLocation: The correct file path and filename of the VPN client agent must be present. For example:

      C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNclient.exe

  3. The client machine successfully connects to the VPN.

    This can be confirmed by executing the following commands in Command Prompt depending on the VPN provider used.

    Cisco IPSec:
    vpnclient.exe connect <profile name> user %user_name% pwd %password%

    Cisco AnyConnect:
    pncli.exe -s < %tempFile%
    (or)
    vpncli.exe connect %servername%
    %user_name%
    %password%

    Fortinet:
    connect -s adsspvpn -h %servername%:%portno% -u %user_name%:%password%

    In case a custom VPN provider is used, the following command line must be used
    pstools..psexec.exe -s -i

  4. The AD domain controller is reachable through the VPN. This can be confirmed by pinging the server.
  5. For Windows Native VPN:
    • L2TP/IPSec with pre-shared key is the type of VPN used.
    • AD domain credentials are provided during VPN configuration.

 

Request Support

Need further assistance? Fill this form, and we'll contact you rightaway.

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management