After much googling, I stumbled a post where it was suggested the what I needed was not to set Active Directory policies, but rather to use a LDAPS URL in my AD federation instead of just a LDAP URL A default fresh AD Domain controller was setup, then everything just seemed to work -----Original Message----- From: Chris Smith Sent: Thursday, July 11, 2019 12:56 PM To: keycloak-user(a)lists.jboss.org Subject: Keycloak self registration and Active Directory issues My requirements are 1. Active Directory federation (really only as a Kerberos Server... I have a Windoze Only requirement imposed on me) 2. Keycloak self-regestration for users 3. Application and user maintenance done in as much Out Of Box Keycloak as possible 4. Application Admins should never have access to AD management. I've set as many AD password policies as I can easily find or google to be as permissive as possible Policy Enforce password history, 0 passwords remembered, 0 Maximum password age, 0 Minimum password age, 0 days Minimum password length, 1 characters Password must meet complexity requirements, Disabled Store passwords using reversible encryption, Not Defined I've set KC password policies Minimum Length 8 Uppercase Characters 1 Lowercase Characters 1 Expire Password 30 Special Characters 1 Not Username Not Recently Used 25 Digits 1 KC Authentication Required Action Update Password disabled So when a new user users self-registration, in AD, the user account is set to require password Change Any advice on how to Change that In Active Directory I remove the "Require password Change" on the user account The KC user login fails with "invalid User or Password" error If I try to Change the new Users Password in the KC Console, Error! Could not modify attribute for DN [CN=xxx.yyyy,CN=Users,DC=xxx-sso,DC=com] Any Advice on what is going on?