Password change with AD

scaiferw · Post by **scaiferw** » Wed Apr 11, 2012 8:10 am

When I try to change a username when using active directory for authentication, I am told that I must change the password at the same time. However, it will allow me to change the username if I proceed to click Save a second time.

Does the password still need to be changed on the AD account? I'm unclear on whether a web application can or should be able to require an AD password change.

Beth · Post by **Beth** » Wed Apr 11, 2012 8:17 am

You (nor the user) should not change a user's password in Vault if you are using AD authentication. What will happen if you do is their ability to use AD for Vault authentication will be broken by having the password changed.

The only thing you'd need to change would be their sign-in name if that changes.

By using AD authentication in Vault, then the user's password will just always be the same password they have in AD, even if the AD password changes. Essentially, Vault will check the name and then it.will pass the authentication through to the AD controller to do the authenticating.

scaiferw · Post by **scaiferw** » Wed Apr 11, 2012 8:34 am

Thanks Beth. That's what I would have expected, so I'm glad I checked.

Could you put in a change request on this? As it stands, the web interface states in no uncertain terms that the password must be changed: "When changing a login, it is required that the password be changed at the same time. Please change the password."

In fact, if AD authentication is selected, it would be better if the password change dialog controls are not presented, so that could be another change request.

I also see that there is a password change option in the client applications which could be disabled for accounts using AD authentication.

Thanks,

Rob

Beth · Post by **Beth** » Wed Apr 11, 2012 10:05 am

Good Point. I will talk to the team about the requirement for a password change.

In the meantime, if you set the user to not be an AD user, then change the username and password, save that information, then return to the user and set them back to being an AD user, that should get you around that.

Beth · Post by **Beth** » Wed Apr 11, 2012 3:14 pm

Sorry, I've made an error. We ran some tests and were unable to break AD authentication by changing the password. I was sure I had seen that fail sometime in the past.

I am still going to log a request to change how the password is dealt with when the user is using AD authentication.

F: 13222

scaiferw · Post by **scaiferw** » Thu Apr 12, 2012 8:59 am

Thanks, Beth. I tried simply ignoring the warning and clicking save again to force the change, and so far it seems to work fine. Just a little confusing to see the warning.

Beth · Post by **Beth** » Thu Apr 12, 2012 9:02 am

When you click a second time, you're actually still setting the Vault password, but you're setting it to blank. This would only be a security issue if your users are ever removed from using AD authentication.

scaiferw · Post by **scaiferw** » Thu Apr 12, 2012 9:20 am

Good to know, though I don't think we'd ever move away from AD. I'd much rather let AD worry about that. I have noticed that vault doesn't seem to check that there is a valid ad account when setting up a user. Is there a way to change that?

Beth · Post by **Beth** » Thu Apr 12, 2012 2:20 pm

You are correct that Vault doesn't check if the account is valid. I don't currently have a way to change that, but I've entered a feature request for that functionality.

F: 16268

SourceGear Support

Password change with AD

Password change with AD

Re: Password change with AD

Re: Password change with AD

Re: Password change with AD

Re: Password change with AD

Re: Password change with AD

Re: Password change with AD

Re: Password change with AD

Re: Password change with AD