[keycloak-user] Issues with Keycloak and AD

Charles Hardin chardin at shadowforge-computing.com
Tue Apr 25 10:24:26 EDT 2017 

The only other thing I can think of would be to downgrade my domain/forest
functional levels to 2012 and try it again.

On Tue, Apr 25, 2017 at 10:07 AM, Charles Hardin <
chardin at shadowforge-computing.com> wrote:

> I tried turning that off, but the problem seems to persist. I also changed
> minimum password age to 0 on the AD site and it still fails to change the
> pasword.
>
> The AD configuration is pretty much default outside of password
> configuration.
>
> The user gets created in AD with the must change password at next login
> flagged, as well as account disabled.
>
> I will keep poking on my end to see what I can find. Any guess when it
> might be testable against 2016 on your side?
>
>
> On Tue, Apr 25, 2017 at 3:33 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I was not able to simulate the issue with MSAD 2008 or MSAD 2012. I have
>> same setup as you (Password Policy Hints enabled, Writable edit mode).
>>
>> After the registration is user's password successfully updated in MSAD
>> and I can see that MSAD attributes of user are in expected state
>> (pwdLastSet is updated to latest time, userAccountControls are in 512,
>> which corresponds to fully created and enabled user).
>>
>> Not sure if the difference is with your MSAD setup or if this is related
>> to MSAD 2016. We don't yet test with this version for now.
>>
>> The workaround might be to disable "Password Policy Hints". But then some
>> advanced password policies won't work (password history etc).
>>
>> Marek
>>
>>
>> On 21/04/17 15:42, Charles Hardin wrote:
>>
>> 2016
>>
>> On Fri, Apr 21, 2017 at 7:57 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I will try to reproduce that. What's your MSAD version btv?
>>>
>>> Thanks,
>>> Marek
>>>
>>>
>>> On 20/04/17 23:55, Charles Hardin wrote:
>>>
>>>> Hello All,
>>>>
>>>> I have setup an instance of Keycloak 3 and connected it to AD. It is
>>>> setup
>>>> to sync users and is writeable edit mode. I also have Pasword Policy
>>>> Hints
>>>> enabled in the MSAD Account Controls mapper. I have user registration
>>>> turned on in Keycloak.
>>>>
>>>> When I register a user in keycloak, it creates the user in a disabled
>>>> state
>>>> in AD, and prompts the user in keycloak to change the password they just
>>>> set during account creation to activate the account. This then fails
>>>> because AD is currently configured to enforce a minimum password age of
>>>> one
>>>> day.
>>>>
>>>> I am ok with the account being created disabled, but how do I get around
>>>> the immediate 2nd password request?
>>>>
>>>> Thanks,
>>>>
>>>> Chuck
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>

More information about the keycloak-user mailing list