3:15 p.m.
On 25/04/17 16:07, Charles Hardin wrote:
I tried turning that off, but the problem seems to persist. I also
changed minimum password age to 0 on the AD site and it still fails to
change the pasword.
The AD configuration is pretty much default outside of password
configuration.
The user gets created in AD with the must change password at next
login flagged, as well as account disabled.
I will keep poking on my end to see what I can find. Any guess when it
might be testable against 2016 on your side?
Not sure. Depends on the priorities
and how much customers need that.
Marek
On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I was not able to simulate the issue with MSAD 2008 or MSAD 2012.
I have same setup as you (Password Policy Hints enabled, Writable
edit mode).
After the registration is user's password successfully updated in
MSAD and I can see that MSAD attributes of user are in expected
state (pwdLastSet is updated to latest time, userAccountControls
are in 512, which corresponds to fully created and enabled user).
Not sure if the difference is with your MSAD setup or if this is
related to MSAD 2016. We don't yet test with this version for now.
The workaround might be to disable "Password Policy Hints". But
then some advanced password policies won't work (password history
etc).
Marek
On 21/04/17 15:42, Charles Hardin wrote:
> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> I will try to reproduce that. What's your MSAD version btv?
>
> Thanks,
> Marek
>
>
> On 20/04/17 23:55, Charles Hardin wrote:
>
> Hello All,
>
> I have setup an instance of Keycloak 3 and connected it
> to AD. It is setup
> to sync users and is writeable edit mode. I also have
> Pasword Policy Hints
> enabled in the MSAD Account Controls mapper. I have user
> registration
> turned on in Keycloak.
>
> When I register a user in keycloak, it creates the user
> in a disabled state
> in AD, and prompts the user in keycloak to change the
> password they just
> set during account creation to activate the account. This
> then fails
> because AD is currently configured to enforce a minimum
> password age of one
> day.
>
> I am ok with the account being created disabled, but how
> do I get around
> the immediate 2nd password request?
>
> Thanks,
>
> Chuck
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>