Re: [keycloak-user] Issues with Keycloak and AD
I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
same setup as you (Password Policy Hints enabled, Writable edit mode).
After the registration is user's password successfully updated in MSAD
and I can see that MSAD attributes of user are in expected state
(pwdLastSet is updated to latest time, userAccountControls are in 512,
which corresponds to fully created and enabled user).
Not sure if the difference is with your MSAD setup or if this is related
to MSAD 2016. We don't yet test with this version for now.
The workaround might be to disable "Password Policy Hints". But then
some advanced password policies won't work (password history etc).
Marek
On 21/04/17 15:42, Charles Hardin wrote:
2016
On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I will try to reproduce that. What's your MSAD version btv?
Thanks,
Marek
On 20/04/17 23:55, Charles Hardin wrote:
Hello All,
I have setup an instance of Keycloak 3 and connected it to AD.
It is setup
to sync users and is writeable edit mode. I also have Pasword
Policy Hints
enabled in the MSAD Account Controls mapper. I have user
registration
turned on in Keycloak.
When I register a user in keycloak, it creates the user in a
disabled state
in AD, and prompts the user in keycloak to change the password
they just
set during account creation to activate the account. This then
fails
because AD is currently configured to enforce a minimum
password age of one
day.
I am ok with the account being created disabled, but how do I
get around
the immediate 2nd password request?
Thanks,
Chuck
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>