[keycloak-user] Issues with Keycloak and AD

Marek Posolda mposolda at redhat.com
Tue Apr 25 03:33:59 EDT 2017


I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have 
same setup as you (Password Policy Hints enabled, Writable edit mode).

After the registration is user's password successfully updated in MSAD 
and I can see that MSAD attributes of user are in expected state 
(pwdLastSet is updated to latest time, userAccountControls are in 512, 
which corresponds to fully created and enabled user).

Not sure if the difference is with your MSAD setup or if this is related 
to MSAD 2016. We don't yet test with this version for now.

The workaround might be to disable "Password Policy Hints". But then 
some advanced password policies won't work (password history etc).

Marek

On 21/04/17 15:42, Charles Hardin wrote:
> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I will try to reproduce that. What's your MSAD version btv?
>
>     Thanks,
>     Marek
>
>
>     On 20/04/17 23:55, Charles Hardin wrote:
>
>         Hello All,
>
>         I have setup an instance of Keycloak 3 and connected it to AD.
>         It is setup
>         to sync users and is writeable edit mode. I also have Pasword
>         Policy Hints
>         enabled in the MSAD Account Controls mapper. I have user
>         registration
>         turned on in Keycloak.
>
>         When I register a user in keycloak, it creates the user in a
>         disabled state
>         in AD, and prompts the user in keycloak to change the password
>         they just
>         set during account creation to activate the account. This then
>         fails
>         because AD is currently configured to enforce a minimum
>         password age of one
>         day.
>
>         I am ok with the account being created disabled, but how do I
>         get around
>         the immediate 2nd password request?
>
>         Thanks,
>
>         Chuck
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>



More information about the keycloak-user mailing list