VPN-less password reset
When resetting passwords, the encryption keys for the Windows Data Protection API (DPAPI) need to be updated in order for users to continue using saved application passwords. In scenarios where the Domain Controller cannot be reached, e.g. when working remotely, the Specops Secured Browser can perform such an update without the need of a VPN. The uReset setting Saved application passwords in Specops Authentication enables this update mechanism.
VPN-less password reset with cached credential update utilizes Microsoft's built-in Data Protection API. DPAPI is a Windows component enabling symmetric encryption of any kind of data. It is often used to encrypt sensitive information, such as login credentials. In those cases, DPAPI handles secrets without the user having to input a password at the time of encryption/decryption. Since sensitive application data stored in DPAPI (mail credentials, VPN etc.) is linked to the Windows login credentials, DPAPI allows for a seamless transition in the use of those applications whenever a password reset occurs.
Specops Authentication uses DPAPI in combination with the Gatekeeper to allow decryption whenever a password reset occurs when a user is not connected to the appropriate Domain Controller.
VPN-less password reset with cached credential update functionality
Since DPAPI is a Windows component, login credentials for applications such as mail, VPN and others are automatically updated whenever a Windows password reset takes place, if the user performing the reset is connected to the correct Domain Controller (DC). A simplified process description would be as follows:
- User (connected to the correct Domain Controller) resets password.
- DPAPI contacts the DC and updates with the new password information.
- Using this updated information, applications can decrypt data and can continue to be used.
However, whenever the user is not connected to the DC at password reset, the password information cannot be updated, and users cannot continue to use applications unless they manually update the password information for that application. This can result in loss of data, loss of connectivity or loss of service.
With VPN-less remote password reset, this loss of continuity is prevented by having the Gatekeeper act as an intermediary. The same password reset procedure using VPN-less remote password reset will result in updated password information using the Gatekeeper to connect DPAPI to the correct Domain Controller.
In this case, continuity is preserved without requiring any user intervention.
VPN-less password reset with cached credential update Requirements
Note
VPN-less remote password reset needs to be activated by Specops for your account.
Your organization’s environment must meet the following requirements:
| Item | Requirement |
|---|---|
| Gatekeeper* | Build 8.23.21278.1 or later |
| Client computers |
|
Note
*All Gatekeepers associated with the domain need to be up to date in order for the functionality to work.
VPN-less remote password reset Settings
VPN-less remote password reset is not turned on by default. In order to use the VPN-less password reset with cached credential update functionality, you have to turn it on.
- In Authentication Web go to uReset in the left navigation.
- Click on the Settings tab.
- Check the box for Allow decrypting DPAPI masterkeys.
SecuredBrowser configuration
The SecuredBrowser can be configured to use proxy if used within the organization. You can configure one of these (though not both):
- ProxyServerUrl (Proxy Server URL for Secured Browser)
- ProxyServerPacUrl (Proxy Server PAC URL for Secured Browser)
These proxy settings are administered through the ADMX template.
If a direct proxy server is used, configure Proxy Server URL for Secured Browser.
<string id="ProxyServerUrl">Proxy Server URL for Secured Browser</string>
<string id="ProxyServerUrlExplain">This setting enables the use of a proxy server for the Secured Browser. Example value: "http://proxyserver:proxyport"</string>
If Proxy Auto-Config (PAC) is used, configure URL to the PAC server in Proxy Server PAC URL for Secured Browser.
<string id="ProxyServerPacUrl">Proxy Server PAC URL for Secured Browser</string>
<string id="ProxyServerPacUrlExplain">This setting enables the use of a proxy server with Proxy Auto-Configuration (PAC) for the Secured
Browser. Example value: "http://proxyserver/proxy.pac"</string>
Note
Not configuring this means that the Windows proxy settings are used.