[keycloak-user] Issues with Keycloak and AD

Charles Hardin chardin at shadowforge-computing.com
Tue Apr 25 10:07:05 EDT 2017


I tried turning that off, but the problem seems to persist. I also changed
minimum password age to 0 on the AD site and it still fails to change the
pasword.

The AD configuration is pretty much default outside of password
configuration.

The user gets created in AD with the must change password at next login
flagged, as well as account disabled.

I will keep poking on my end to see what I can find. Any guess when it
might be testable against 2016 on your side?


On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com> wrote:

> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
> same setup as you (Password Policy Hints enabled, Writable edit mode).
>
> After the registration is user's password successfully updated in MSAD and
> I can see that MSAD attributes of user are in expected state (pwdLastSet is
> updated to latest time, userAccountControls are in 512, which corresponds
> to fully created and enabled user).
>
> Not sure if the difference is with your MSAD setup or if this is related
> to MSAD 2016. We don't yet test with this version for now.
>
> The workaround might be to disable "Password Policy Hints". But then some
> advanced password policies won't work (password history etc).
>
> Marek
>
>
> On 21/04/17 15:42, Charles Hardin wrote:
>
> 2016
>
> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I will try to reproduce that. What's your MSAD version btv?
>>
>> Thanks,
>> Marek
>>
>>
>> On 20/04/17 23:55, Charles Hardin wrote:
>>
>>> Hello All,
>>>
>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>> setup
>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>> Hints
>>> enabled in the MSAD Account Controls mapper. I have user registration
>>> turned on in Keycloak.
>>>
>>> When I register a user in keycloak, it creates the user in a disabled
>>> state
>>> in AD, and prompts the user in keycloak to change the password they just
>>> set during account creation to activate the account. This then fails
>>> because AD is currently configured to enforce a minimum password age of
>>> one
>>> day.
>>>
>>> I am ok with the account being created disabled, but how do I get around
>>> the immediate 2nd password request?
>>>
>>> Thanks,
>>>
>>> Chuck
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>


More information about the keycloak-user mailing list