9:58 p.m.
Marek,
I did some more testing on my side. I made the user Keycloak uses to talk
to MSAD a Domain Admin(I was using delegation). I dropped the domain and
forest functional level to 2012R2, and also removed the realm and recreated
to make sure I was as close to defaults as I could be.
I went and dug through the AD events, and it looks like for whatever reason
Keycloak is creating the user with a UAC value of 0x15.
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
Here is what Keycloak logs when it connects the ldap:
22:12:06,563 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry]
(default task-4) Creating new LDAP Store for the LDAP storage provider:
'ldap', LDAP Configuration: {pagination=[true], fullSyncPeriod=[604800],
usersDn=[<REMOVED>], connectionPooling=[true], cachePolicy=[DEFAULT],
useKerberosForPasswordAuthentication=[false], importEnabled=[true],
bindDn=[<REMOVED>], changedSyncPeriod=[86400],
usernameLDAPAttribute=[sAMAccountName], lastSync=[1493169877], vendor=[ad],
uuidLDAPAttribute=[objectGUID], connectionUrl=[<REMOVED>],
allowKerberosAuthentication=[false], syncRegistrations=[true],
authType=[simple], debug=[false], searchScope=[1],
useTruststoreSpi=[ldapsOnly], priority=[0], userObjectClasses=[person,
organizationalPerson, user], rdnLDAPAttribute=[cn], editMode=[WRITABLE],
batchSizeForSync=[1000]}, binaryAttributes: []
Not quite sure where to go with this. Is there a way to get keycloak to log
the user creation attempt somewhere?
On Tue, Apr 25, 2017 at 4:15 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
On 25/04/17 16:07, Charles Hardin wrote:
I tried turning that off, but the problem seems to persist. I also changed
minimum password age to 0 on the AD site and it still fails to change the
pasword.
The AD configuration is pretty much default outside of password
configuration.
The user gets created in AD with the must change password at next login
flagged, as well as account disabled.
I will keep poking on my end to see what I can find. Any guess when it
might be testable against 2016 on your side?
Not sure. Depends on the priorities and how much customers need that.
Marek
On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
> same setup as you (Password Policy Hints enabled, Writable edit mode).
>
> After the registration is user's password successfully updated in MSAD
> and I can see that MSAD attributes of user are in expected state
> (pwdLastSet is updated to latest time, userAccountControls are in 512,
> which corresponds to fully created and enabled user).
>
> Not sure if the difference is with your MSAD setup or if this is related
> to MSAD 2016. We don't yet test with this version for now.
>
> The workaround might be to disable "Password Policy Hints". But then some
> advanced password policies won't work (password history etc).
>
> Marek
>
>
> On 21/04/17 15:42, Charles Hardin wrote:
>
> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>
>> I will try to reproduce that. What's your MSAD version btv?
>>
>> Thanks,
>> Marek
>>
>>
>> On 20/04/17 23:55, Charles Hardin wrote:
>>
>>> Hello All,
>>>
>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>> setup
>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>> Hints
>>> enabled in the MSAD Account Controls mapper. I have user registration
>>> turned on in Keycloak.
>>>
>>> When I register a user in keycloak, it creates the user in a disabled
>>> state
>>> in AD, and prompts the user in keycloak to change the password they just
>>> set during account creation to activate the account. This then fails
>>> because AD is currently configured to enforce a minimum password age of
>>> one
>>> day.
>>>
>>> I am ok with the account being created disabled, but how do I get around
>>> the immediate 2nd password request?
>>>
>>> Thanks,
>>>
>>> Chuck
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>