Updating cached password over VPNs

ADSelfService Plus can update local cached credentials stored in users’ machines so remote users can access their machines even if they forget their passwords.

Cached Credentials Update - How it works

Fig 1: Image showing how a cached credential is updated by the login agent.

  1. ADSelfService Plus places a Reset Password/Account Unlock link on the login screen of Windows, macOS, and Linux machines to enable self-service password reset. Clicking this link will open the password self-service portal.
  2. Users are required to prove their identity through any one of the enforced authentication methods, such as SMS-based one-time passwords (OTPs), email-based OTPs, Google Authenticator, Duo Security, and RSA SecurID.
    • Updating cached credentials over VPNs is supported only for Windows.
    • Users must be enrolled in ADSelfService Plus to utilize the self-service password reset and self-service account unlock capabilities.
    • Enrollment is a one-time process where users enter their mobile number and email address, set answers to security questions, and provide other details in ADSelfService Plus in order to register for self-service password management. Learn how to enroll users.
  3. Once a user’s identity is successfully verified, they will be allowed to reset their forgotten AD domain passwords.
  4. ADSelfService Plus resets the AD password and alerts the logon agent about the successful completion.
  5. The logon agent establishes a secure connection with AD through a VPN client and initiates a request for updating the local cached credentials.
  6. After the request is successfully approved by AD, the cached credentials are locally updated on the user's machine.

Supported VPN clients

Note: The ADSelfService Plus login agent uses a command-line interface (CLI) to initiate a connection with the integrated VPN. Any VPN provider that supports a CLI with LocalSystem account privileges can be used for cached credentials update.

Configuration Steps

  1. Navigate to Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
  2. Click Updating Cached Credentials over VPN.
  3. Select Enable VPN settings.
  4. Select the VPN Provider from the drop-down list.
  5. Enter the VPN Hostname/IP address and VPN Port No in their respective fields.
  6. Enter the location where the VPN client is installed on the users' machines.
  7. Image depicting the list of supported VPN clients

  8. If you want to use a service account for VPN connections, select Enable VPN Access via a Service Account and enter the service acount's credentials.
  9. Note: VPN connections are usually made with end-user accounts. You can use a service account for VPN connections if:
    • Your organization has mandated MFA for end-user VPN connections, or
    • Your organization uses a single account for multiple VPN connections.

    Please ensure that the VPN service account does not require MFA in order to connect to the VPN.

    Here are the client locations for the VPN providers supported out of the box in ADSelfService Plus:

    • Cisco AnyConnect: C:\Program Files (x86)\Cisco\Cisco AnyConnect\vpncli.exe
    • SonicWall Global VPN: C:\Program Files (x86)\SonicWall\SonicWall Global VPN\swgvc.exe
    • Fortinet VPN: The appropriate version of the VPN client file (fortisslvpnclient.exe) must be downloaded from the Fortinet support portal and installed on users' machines. The location where the FortiSSLVPNClient.exe file has been installed must be mentioned as the client location. Example: C:\FortiClient\FortiSSLVPN\x86\FortiSSLVPNClient.exe
    • Check Point VPN: C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.exe
    • SonicWall NetExtender: C:\Program Files (x86)\Sonicwall\SSL-VPN\NetExtender\necli.exe
    • OpenVPN: C:\Program Files (x86)\Sophos\Sophos ssl client\bin\openvpn.exe
    • Cisco IPSec: C:\Program Files (x86)\Cisco\Cisco IPSec\vpnclient.exe
    Note: The VPN client location has to be uniformly maintained on all user machines. If using a custom VPN provider, please contact your VPN provider's support team to know the name of the client used for command-line interface and mention its location as the client location.
  10. For Custom VPN, macros (%user_name%, %password%, etc.) can be used in the VPN Connect/Disconnect Command. (Note: The syntax for the VPN Connect/Disconnect Command varies depending on the VPN provider used.)
    Example:connect -s adsspvpn -h %servername%:%portno% -u %user_name%:%password%
  11. Click Save.
    Note:The VPN configurations will be reflected on the users’ machine either during the GINA/Mac/Linux client installation, or when the GINA/Mac/Linux scheduler runs.


Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.


Need technical assistance?

  • Enter your email ID
  • Talk to experts
    By clicking 'Talk to experts', you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?


    Visit our community

    Post your questions in the forum.


    Request additional resources

    Send us your requirements.


    Need implementation assistance?

    Try onboarding


Copyright © 2023, ZOHO Corp. All Rights Reserved.