By Mike Ranellone Posted October 18, 2019
In the never-ending quest to optimize your team’s workflow while shoring up security, you’ve probably had to stop and think about how to sync Microsoft® Active Directory® (AD) with a VPN. It seems like these two pieces of core infrastructure should work together seamlessly, but usually they don’t integrate as you’d expect. We’ll address two common challenges below: syncing a user’s local OS password with their AD domain password remotely (which often requires a VPN), and syncing VPN authentication/access with AD to minimize the number of sets of credentials a user must manage.
Problem 1: Remote User Password Resets with AD via VPN
Your organization’s security rules may require users to change their AD passwords every 90 days. And every 90 days, that on-prem rotation leaves your remote employees in the dust. They’re glad they rarely have to come in to the office, but then they’re frustrated when they find that their domain password has expired. Many times in this scenario an end user could be locked out of their machine. Now you’re on the phone with one of them, and you have to talk through the fix. This is an especially acute problem with macOS endpoints.
Assuming that the user can still login to their machine, they will need to connect to their organization’s infrastructure via a VPN. This connection provides access to the on-prem directory, AD. Next, they should log off of the machine. (As long as the VPN client is running as a service, logging off shouldn’t interrupt the session.) Now the user can log back onto the device by updating their credentials. This solution can be confusing because the user needs their old credentials to gain initial access to AD so that AD can then sync the new credentials to the device. It’s not a particularly efficient process, but it works. For Macs, though this process is far from seamless.
Problem 2: Sync VPN Access with AD Credentials
When security measures start to hamstring a user’s workflow, that user is more likely to bypass them and compromise your network for the sake of efficiency. We see this constantly with login credentials: people get overwhelmed by the number of passwords to their basic resources and start to duplicate passwords or store them insecurely. Research on the human factor in identity security indicates that even users who are informed about the risks will sometimes sacrifice security in the name of convenience, especially when they feel the consequences of a breach wouldn’t impact them personally.
(To learn more about how well-meaning employees on the inside of organizations have gradually become one of the weakest links in IT security, check out our article on Why It’s Time to Take Identity Security Seriously. We also have tips for training employees to be more vigilant in Security Training 101.)
With this human bias toward convenience in mind, it’s no wonder that you and your IT team are working diligently to reduce the number of passwords needed, while increasing their security/strength. VPN access is among the most annoying of these sticking points, so naturally you want to sync AD credentials with your VPN access. In this scenario, a user’s AD credentials would also grant them VPN access, and the two authentication systems would always stay synced, even after password changes and updates. Unfortunately, a DIY solution that fully achieves this ends up being easier said than done.
An Elegant Solution to Sync AD with VPN
Given the above roadblocks to syncing AD with a VPN, you might be wondering what a more streamlined solution would look like. Instead of building patches that would solve each specific problem individually, what if you could zoom out and fundamentally modernize the way AD syncs with your VPN, solving both of these problems at once? A cloud-based directory service could integrate with Active Directory to offer different sets of solutions based on your needs. Learn more about how JumpCloud AD Integration works to maximize your network’s security and efficiency. Or, if you’d rather see how this all looks from the driver’s seat, you can sign up for a free account and integrate your AD credentials with your non-domain-bound IT infrastructure.