[keycloak-user] Issues with Keycloak and AD

Marek Posolda mposolda at redhat.com
Tue Apr 25 16:15:48 EDT 2017 

On 25/04/17 16:07, Charles Hardin wrote:
> I tried turning that off, but the problem seems to persist. I also 
> changed minimum password age to 0 on the AD site and it still fails to 
> change the pasword.
>
> The AD configuration is pretty much default outside of password 
> configuration.
>
> The user gets created in AD with the must change password at next 
> login flagged, as well as account disabled.
>
> I will keep poking on my end to see what I can find. Any guess when it 
> might be testable against 2016 on your side?
Not sure. Depends on the priorities and how much customers need that.

Marek
>
>
> On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I was not able to simulate the issue with MSAD 2008 or MSAD 2012.
>     I have same setup as you (Password Policy Hints enabled, Writable
>     edit mode).
>
>     After the registration is user's password successfully updated in
>     MSAD and I can see that MSAD attributes of user are in expected
>     state (pwdLastSet is updated to latest time, userAccountControls
>     are in 512, which corresponds to fully created and enabled user).
>
>     Not sure if the difference is with your MSAD setup or if this is
>     related to MSAD 2016. We don't yet test with this version for now.
>
>     The workaround might be to disable "Password Policy Hints". But
>     then some advanced password policies won't work (password history
>     etc).
>
>     Marek
>
>
>     On 21/04/17 15:42, Charles Hardin wrote:
>>     2016
>>
>>     On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda
>>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         I will try to reproduce that. What's your MSAD version btv?
>>
>>         Thanks,
>>         Marek
>>
>>
>>         On 20/04/17 23:55, Charles Hardin wrote:
>>
>>             Hello All,
>>
>>             I have setup an instance of Keycloak 3 and connected it
>>             to AD. It is setup
>>             to sync users and is writeable edit mode. I also have
>>             Pasword Policy Hints
>>             enabled in the MSAD Account Controls mapper. I have user
>>             registration
>>             turned on in Keycloak.
>>
>>             When I register a user in keycloak, it creates the user
>>             in a disabled state
>>             in AD, and prompts the user in keycloak to change the
>>             password they just
>>             set during account creation to activate the account. This
>>             then fails
>>             because AD is currently configured to enforce a minimum
>>             password age of one
>>             day.
>>
>>             I am ok with the account being created disabled, but how
>>             do I get around
>>             the immediate 2nd password request?
>>
>>             Thanks,
>>
>>             Chuck
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>
>

More information about the keycloak-user mailing list