Project

General

Profile

Actions
Copy link

Defect #3097

closed

When authentication is delegated to a system (e. g., MS AD), user should not be able to be authenticated with expired credentials

Added by Tomáš Doischer about 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Roman Kučera
Category:
Authentication / Authorization
Target version:
13.0.0
Start date:
03/30/2022
Due date:
% Done:

100%

Estimated time:
Affected versions:
11.2.0
Owner:

Description

A customer reported suspicious behavior. In their environment, users use MS AD credentials to authenticate to IdM. In one case, a user was able to successfully authenticate using expired credentials.

The customer uses MS AD connected via WinRM+AD connector in a remote connector server.

The goal is to validate that this happens and if so, implement a different behavior (offer a password change to the user or, at least, prevent them from authentication).

Actions
Copy link
 #1

Updated by Roman Kučera almost 2 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 50

I tested this on my local env with MS AD connector and everything is working correctly.
I was able to log in when password was valid.
Then I set pwdLastSet in AD to 0 and then I am not able to log into IdM anymore.

Next I'll try to use WinRM + AD connector if there will be some difference.

Actions
Copy link
 #2

Updated by Roman Kučera almost 2 years ago

I was not able to replicate even in 12.X IdM and WinRM + AD 1.0.2 in remote server
Same in 11.2.0 and WinRM + AD 1.0.2 in remote server

When user has expired password login to IdM will fail.

Actions
Copy link
 #3

Updated by Roman Kučera almost 2 years ago

  • % Done changed from 50 to 80

@doischert is it possible to get more information from the project? I set pwdLastSet to 0 to simulate user with expired password. Is it possible to validate the state of the user on project if he has pwdLastSet to 0 also or if he was expired in some other way?

Otherwise we can close this ticket.

Actions
Copy link
 #4

Updated by Roman Kučera almost 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

After consultation, I am closing this ticket.

Only way how to log in into IdM if authentication is against AD system and the user in AD has expired password is to have the same password directly in IdM. But this is intended behavior. To solve this just set password policy for IdM correctly.

Actions
Copy link
 #5

Updated by Tomáš Doischer about 1 year ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF