Defect #3097
closed
When authentication is delegated to a system (e. g., MS AD), user should not be able to be authenticated with expired credentials
Added by Tomáš Doischer about 2 years ago.
Updated over 1 year ago.
Category:
Authentication / Authorization
Description
A customer reported suspicious behavior. In their environment, users use MS AD credentials to authenticate to IdM. In one case, a user was able to successfully authenticate using expired credentials.
The customer uses MS AD connected via WinRM+AD connector in a remote connector server.
The goal is to validate that this happens and if so, implement a different behavior (offer a password change to the user or, at least, prevent them from authentication).
- Status changed from New to In Progress
- % Done changed from 0 to 50
I tested this on my local env with MS AD connector and everything is working correctly.
I was able to log in when password was valid.
Then I set pwdLastSet in AD to 0 and then I am not able to log into IdM anymore.
Next I'll try to use WinRM + AD connector if there will be some difference.
I was not able to replicate even in 12.X IdM and WinRM + AD 1.0.2 in remote server
Same in 11.2.0 and WinRM + AD 1.0.2 in remote server
When user has expired password login to IdM will fail.
- % Done changed from 50 to 80
@doischert is it possible to get more information from the project? I set pwdLastSet to 0 to simulate user with expired password. Is it possible to validate the state of the user on project if he has pwdLastSet to 0 also or if he was expired in some other way?
Otherwise we can close this ticket.
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
After consultation, I am closing this ticket.
Only way how to log in into IdM if authentication is against AD system and the user in AD has expired password is to have the same password directly in IdM. But this is intended behavior. To solve this just set password policy for IdM correctly.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
