With remote work dominating during the global COVID crisis, a key issue that IT organizations have been facing is how to update Active Directory passwords. Generally, after 90 days, the password within AD needs to be updated and if this isn’t done, the end user can be completely detached from the domain. Most IT admins haven’t had to deal with this issue very often because most users are connected to the domain and are in the office, so handling this historically has been simple; but, now with remote work, this problem can present quite the challenge to the end user and employee.
Generally, Microsoft® Active Directory® (AD) passwords are updated over a VPN. It seems like these two pieces of core infrastructure (AD and a VPN) should work together seamlessly, but usually they don’t integrate as you’d expect. We’ll address two common challenges below: syncing a user’s local OS password with their AD domain password remotely (which often requires a VPN), and syncing VPN authentication/access with AD to minimize the number of sets of credentials a user must manage.
Problem 1: Remote User Password Resets with AD via VPN
Your organization’s security rules may require users to change their AD passwords every 90 days. And every 90 days, that on-prem rotation leaves your remote employees in the dust – which today constitutes just about everybody. They’re glad they rarely have to come into the office, but then they’re frustrated when they find that their domain password has expired. Many times in this scenario an end user could be locked out of their machine and if their AD password is the same as their VPN password, then they can’t login to the domain at all and they are completely locked out. Now you’re on the phone with one of them, and you have to talk through the fix. This is an especially acute problem with macOS endpoints.
Assuming that the user can still login to their machine, they will need to:
- Connect to their organization’s infrastructure via a VPN. This connection provides access to the on-prem directory, Active Directory.
- Next, they should log off of the machine. (As long as the VPN client is running as a service, logging off shouldn’t interrupt the session.)
- Now the user can log back onto the device by updating their credentials.
This solution can be confusing because the user needs their old credentials to gain initial access to AD so that AD can then sync the new credentials to the device. It’s not a particularly efficient process, but it works. For Macs, though, this process is far from seamless. And, as stated above, if the user’s VPN password has expired as well, the user will likely need your intervention to get back up and running.
Problem 2: Sync VPN Access with AD Credentials
When security measures start to hamstring a user’s workflow, that user is more likely to bypass them and compromise your network for the sake of efficiency. We see this constantly with login credentials: people get overwhelmed by the number of passwords to their basic IT resources and start to duplicate passwords or store them insecurely. Research on the human factor in identity security indicates that even users who are informed about the risks will sometimes sacrifice security in the name of convenience, especially when they feel the consequences of a breach wouldn’t impact them personally.
(To learn more about how well-meaning employees on the inside of organizations have gradually become one of the weakest links in IT security, check out our article on Why It’s Time to Take Identity Security Seriously. We also have tips for training employees to be more vigilant in Security Training 101.)
With this human bias toward convenience in mind, it’s no wonder that you and your IT team are working diligently to reduce the number of passwords needed, while increasing their security and strength. VPN access is among the most annoying of these sticking points, so naturally you want to sync AD credentials with your VPN access. In this scenario, a user’s AD credentials would also grant them VPN access, and the two authentication systems would always stay synced, even after password changes and updates. Unfortunately, a DIY solution that fully achieves this ends up being easier said than done.
An Elegant Solution to Sync AD with VPN
Given the above roadblocks to syncing AD with a VPN, you might be wondering what a more streamlined solution would look like. Instead of building patches that would solve each specific problem individually, what if you could zoom out and fundamentally modernize the way Active Directory passwords sync with your VPN, solving both of these problems at once? A cloud-based directory service could integrate with Active Directory to offer different sets of solutions based on your needs.
Learn more about how JumpCloud AD Integration works to maximize your network’s security and efficiency. Or, if you’d rather see how this all looks from the driver’s seat, you can sign up for a JumpCloud Free account and integrate your AD credentials with your non-domain-bound IT infrastructure.