LDAP Bind error on Helpdesk Password Reset
When using Specops Password Reset with Delegated Helpdesk enabled, helpdesk users may encounter the following error when attempting to reset a user’s password in Microsoft Edge or Google Chrome browsers:
Password reset failed: OperationsError (000004DC: LdapErr: DSID-0C090F6A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563).
Admins will also see Specops Password Reset Event ID 338 in the Windows Application event log on the Password Reset server:
System.Exception: Password reset failed: OperationsError (000004DC: LdapErr: DSID-0C090F6A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563).
at Specopssoft.SpecopsPasswordReset.AdministrationServices.LdapPasswordResetter.ThrowFromLdapError(DirectoryResponse response, String targetUser)
at Specopssoft.SpecopsPasswordReset.AdministrationServices.LdapPasswordResetter.ResetPasswordImpl(String newPassword, String dc, String userDn, Boolean preserveHistory)
at Specopssoft.SpecopsPasswordReset.AdministrationServices.LdapPasswordResetter.ResetPassword(String dcName, UserNameForPasswordUpdate userName, String newPassword)
at Specopssoft.SpecopsPasswordReset.AdministrationServices.ResetPasswordService.ResetPasswordByAdmin(ServerCallingContext callingContext, SprUser user, String newPassword, Boolean forcePasswordResetOnNextLogon)
at Specopssoft.SpecopsPasswordReset.Server.SpecopsPasswordResetServiceHost.ResetPassword(ClientCallingContext clientCallingContext, String newPassword, Boolean forcePasswordResetOnNextLogon, Boolean forceReenroll)
This error is due to security in the Chromium browser engine. To resolve the error, you must add your Password Reset Web server to an explicit allow list in the relevant browser via Group Policy or a registry change.
Microsoft Edge (Chromium)
Download and install the ADMX templates from Microsoft. Look for the ‘Get Policy Files’ link on the Edge download page here: https://www.microsoft.com/en-us/edge/business/download. The ADMX templates are within a ZIP file within the CAB file provided by Microsoft under the \windows\ADMX folder.
Apply the following setting to computers where the Password Reset Helpdesk page is used:
Computer Configuration/Policies/Administrative Templates/Microsoft Edge/HTTP authentication/Specifies a list of servers that Microsoft Edge can delegate user credentials to
Set this to “Enabled” and add the hostname used by your users to access the Password Reset web server to the list, e.g.:
Alternatively, configure this setting directly in the registry on the affected machines:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"AuthNegotiateDelegateAllowlist"="passwordreset.specopsdemo1.com"
Once the policy is applied, restart the browser for the change to take effect. Password Reset Helpdesk should now work as expected.
Google Chrome
Download and install the ADMX templates from Google per their instructions here: https://support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows
Apply the following setting to computers where the Password Reset Helpdesk page is used:
Computer Configuration/Policies/Administrative Templates/Google/Google Chrome/HTTP authentication/Kerberos delegation server allowlist
Set this to “Enabled” and add the hostname used by your users to access the Password Reset web server to the list, e.g.:
Alternatively, configure this setting directly in the registry on the affected machines:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"AuthNegotiateDelegateAllowlist"="passwordreset.specopsdemo1.com"
Once the policy is applied, restart the browser for the change to take effect. Password Reset Helpdesk should now work as expected.