0
Answered

Test setting initial password and enabling account

Adam van Vliet (Chief Information Security Officer) 4 years ago in UNIFYBroker/Microsoft Active Directory • updated by anonymous 4 years ago 3

Test to confirm that Identity Broker for Microsoft Active Directory is capable of provisioning users in an enabled state. A few things we know:

  • SSL must be enabled in AD and on the connection;
  • The password must meet the complexity requirements;
  • User userAccountControl to enable the account;
  • If using unicodePwd there are some prerequisites for the format of the password (enclosed in quotes and base64 encoded);

Other:

  • Is anything logged in AD/Windows event log that can help diagnose?
  • Can the traffic be traced?
  • Is there another password field that gets the outcome without having to use unicodePwd?
  • Do we have to change the connector to make this easier?
Affected Versions:
Fixed by Version:

Notes for future reference:

  • password reset requires LDAPS (enable SSL, use port 636)
  • in order to avoid certificate errors, you should use the fully qualified domain name (e.g. computername.domain.local) in the configuration of the AD agent so that it matches the subject of the AD DS certificate
  • new user's password will be expired by default, set pwdLastSet to -1 to avoid this
  • set userAccountControl initially to 512 (0x200) which is NORMAL_ACCOUNT only, certainly make sure ACCOUNTDISABLE (0x2) is not on

IDBAD v4.1 and v5 connectors now support set password (sync and async respectively), and both support adding unicodePwd to the schema which can be exported to set password on adds

Created account with password set. Was able to successfully login using account.