search cancel

Active Directory authentication module - password reset unexpectedly

book

Article ID: 229206

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

We are using AD authentication module. We have observed that a password reset on a UserStore user that is NOT correlated to AD will change an AD user password if the login matches.

Why will AD authentication module provision changes and not just authenticate?

Environment

Release : 14.4

Component : Identity Manager

Resolution

AD Auth module relies on users to have an account on AD, so they could be authenticated.

As per the documentation, If you configure the Active Directory authentication model, user password sets from the Forgotten Password or Reset Password tasks automatically propagate to both the Identity Manager. User Store and the Active Directory server. Password status changes are detected during authentication.

It also mentioned how Identity Manager searches for the user name entered in the login screen in the Identity Manager  User Console by the attribute that is defined in the Management Console.

As per design, the search is based on the authentication attribute which matches the nominated IM attribute. The authentication attempt is done directly against Active Directory, without any attempt to verify account association in the Provisioning layer. This means that the password change will happen directly on the account level.

If this behavior is not the desired one, we may choose to Disable AD Password Propagation by configuring DisableADPasswordPropagation property - "The property prevents Identity Manager from changing the password and having it propagated to the Active Directory Auth directory" - so only password validation (rather than change) is being done. Of course, this is a global property which will apply to all users.

This is configured by navigating to Environments,<Environment_Name>,Advanced Settings, Miscellaneous.

To add new authentication module properties, enter a new Property and Value in the corresponding fields, and then click Add.
 
The property name is DisableADPasswordPropagation  Apply this case-sensitive property on your Identity Manager environment, and then set it to true.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/configuring/advanced-settings/manage-authentication-module-properties.html

Attachments