Password change with AD
Moderator: SourceGear
Password change with AD
When I try to change a username when using active directory for authentication, I am told that I must change the password at the same time. However, it will allow me to change the username if I proceed to click Save a second time.
Does the password still need to be changed on the AD account? I'm unclear on whether a web application can or should be able to require an AD password change.
Does the password still need to be changed on the AD account? I'm unclear on whether a web application can or should be able to require an AD password change.
Vault Standard Version 5.1.1.19215 -- Windows Server 2008 R2 -- SQL Server 2008 R2
Re: Password change with AD
You (nor the user) should not change a user's password in Vault if you are using AD authentication. What will happen if you do is their ability to use AD for Vault authentication will be broken by having the password changed.
The only thing you'd need to change would be their sign-in name if that changes.
By using AD authentication in Vault, then the user's password will just always be the same password they have in AD, even if the AD password changes. Essentially, Vault will check the name and then it.will pass the authentication through to the AD controller to do the authenticating.
The only thing you'd need to change would be their sign-in name if that changes.
By using AD authentication in Vault, then the user's password will just always be the same password they have in AD, even if the AD password changes. Essentially, Vault will check the name and then it.will pass the authentication through to the AD controller to do the authenticating.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Password change with AD
Thanks Beth. That's what I would have expected, so I'm glad I checked.
Could you put in a change request on this? As it stands, the web interface states in no uncertain terms that the password must be changed: "When changing a login, it is required that the password be changed at the same time. Please change the password."
In fact, if AD authentication is selected, it would be better if the password change dialog controls are not presented, so that could be another change request.
I also see that there is a password change option in the client applications which could be disabled for accounts using AD authentication.
Thanks,
Rob
Could you put in a change request on this? As it stands, the web interface states in no uncertain terms that the password must be changed: "When changing a login, it is required that the password be changed at the same time. Please change the password."
In fact, if AD authentication is selected, it would be better if the password change dialog controls are not presented, so that could be another change request.
I also see that there is a password change option in the client applications which could be disabled for accounts using AD authentication.
Thanks,
Rob
Vault Standard Version 5.1.1.19215 -- Windows Server 2008 R2 -- SQL Server 2008 R2
Re: Password change with AD
Good Point. I will talk to the team about the requirement for a password change.
In the meantime, if you set the user to not be an AD user, then change the username and password, save that information, then return to the user and set them back to being an AD user, that should get you around that.
In the meantime, if you set the user to not be an AD user, then change the username and password, save that information, then return to the user and set them back to being an AD user, that should get you around that.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Password change with AD
Sorry, I've made an error. We ran some tests and were unable to break AD authentication by changing the password. I was sure I had seen that fail sometime in the past.
I am still going to log a request to change how the password is dealt with when the user is using AD authentication.
F: 13222
I am still going to log a request to change how the password is dealt with when the user is using AD authentication.
F: 13222
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Password change with AD
Thanks, Beth. I tried simply ignoring the warning and clicking save again to force the change, and so far it seems to work fine. Just a little confusing to see the warning.
Vault Standard Version 5.1.1.19215 -- Windows Server 2008 R2 -- SQL Server 2008 R2
Re: Password change with AD
When you click a second time, you're actually still setting the Vault password, but you're setting it to blank. This would only be a security issue if your users are ever removed from using AD authentication.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Password change with AD
Good to know, though I don't think we'd ever move away from AD. I'd much rather let AD worry about that. I have noticed that vault doesn't seem to check that there is a valid ad account when setting up a user. Is there a way to change that?
Vault Standard Version 5.1.1.19215 -- Windows Server 2008 R2 -- SQL Server 2008 R2
Re: Password change with AD
You are correct that Vault doesn't check if the account is valid. I don't currently have a way to change that, but I've entered a feature request for that functionality.
F: 16268
F: 16268
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support