Windows 10, Azure AD Join and Password Changes

AzureSo we are deploying Workspace One, and our devices are joined to Azure AD. 
We have found an issue when the user is prompted to change their password.

Issue
When the user is prompted to change their password, they are directed to https://account.activedirectory.windowsazure.com/ChangePassword.aspx

The user successfully changes their password, and then finds that they cannot connect to our on-premise Active Directory resources.

Cause
The Local Profile (Cached) Password on the workstation is not being updated with the users new password.

Fix / workaround

  1. User still changes their password via https://account.activedirectory.windowsazure.com/ChangePassword.aspx
  2. They then immediately LOCK their workstation (Windows + L)
  3. They unlock their workstation, with their NEW password.

Why this works
It forces the local workstation to validate the password with Azure AD, and then this updates the copy of the password which is stored in the local workstation user profile.

References
The Old New Thing – Why does it take longer to reject an invalid password than to accept a valid one?
Microsoft – Cached credentials security in Windows Server 2003, in Windows XP, and in Windows 2000

Today’s password is ‘4rfvgy7uj’

Never heard about the concept of password “snakes” until I visited a customer 2 years ago.

Password snakes, simply put, are passwords which follow a path on the keyboard, as this picture illustrates.
final_snake

It’s an interesting idea, but not one I’d really encourage as it’s too easy to remember, particularly for those types of people who like looking over your shoulder.

Bookmark and Share