Forget your password while working remotely? We can help!
With the rapid development in technology, work culture, and our current lockdown situation, people might not always be connected to their corporate network. They need to connect remotely from home, a client site, or other venues.
The following scenario might sound familiar to you. While you are working remotely, you get an email notification from IT asking to reset your password because it is about to expire. Being a good employee, you follow those instructions and reset your password with a complex combination of characters to make it strong enough. It takes 2-3 minutes, and you are good to go ahead with work. But sometimes it may happen that you forgot to take a note of the new password or remember the hint of the new password. The next day you try to log in on your laptop, but you didn’t remember the new password. What’s next?
One option is to contact your IT administrator so they can reset your password. But, even if you get the new password, you can’t use that to log in on your laptop because it resides on the Domain Controller of the Active Directory domain, which is under the boundaries of the organization network. So, the laptop must connect to the organization network.
To get your laptop in an organization network while working remotely is to connect to your VPN. You can connect to a VPN only when you can log in on your laptop. So, here we are, back at square one.
An enterprise solution is required to address the use case like ‘forgot password’ for remotely connected users to provide seamless connectivity in such a situation – all without compromising on security policies laid out by organizations. All this is possible by a single click with the new capability of ‘Off-Network Password Reset’ introduced in the Desktop Password Reset (DPR) version 19.0.0.
Before understanding how ‘Off-Network Password Reset’ works let’s first understand how DPR works without this capability. This tool allows you to reset your Active Directory password, in case you forgot your current password with a single click. DPR tool is installed on the user’s laptop, which gives you a ‘Forgot Password?’ prompt on your locked screen, as displayed below.
For more details, refer to the DPR guide.
When you click “Forgot Password,” it takes you to your organization’s IdentityNow password reset page. From there, the user follows simple steps to reset their password. The following sequence diagrams show a pictorial representation of the problem statement with corporate network connected DPR.
- The user initiates reset password flow from their laptop. It launches the DPR browser and goes to the IdentityNow password reset page.
- After successful validation with Multi-Factor Authentication (MFA), IdentityNow processes password reset requests for the user. This will update the user’s password on the Active Directory.
- When the user tries to log in using the new password, credentials will be authenticated against Active Directory Domain Controller. Note here, as the user’s laptop is within the corporate network, it can communicate with the Active Directory Domain Controller. Upon authentication user successfully logs in.
What happens when a laptop is not connected to an organization’s network
When outside of the network, the laptop will not be able to connect to Active Directory Domain Controller to authenticate the user’s new credential.
- Step 1 and 2 will be the same as before when the laptop was not connected to the corporate network.
- Step 3 in this case: User tries to login with the new password from his/her laptop. The laptop will try to contact Active Directory to authenticate with the new password, but the laptop is out of the corporate network. This communication will fail, and the user will not be able to log in.
Problem resolution with Off Network Password Reset feature
- Steps 1 and 2 remain as before.
- In Step 3, the DPR browser gets confirmation from IdentityNow that the password is successfully changed on the Active Directory Domain. Communication between DPR browser and IdentityNow is protected using TLS 1.2 protocol.
- After confirmation is received, the DPR tool will update the laptop’s local credential cache with new credentials. Users can enter credentials and successfully log in. After login, the user can connect to the corporate network over a VPN.
How does this work
Wait, in the previous section, I said DPR updates local credentials cache, but what is it?
Each time user logs in on the windows system, it caches the login information, including password in the registry database. The password is not cached in plaintext, but the hash of the password is stored.
So, whenever the user is not connected to the corporate network, this cached credential is used to authenticate the user. The Windows system stores all the cached credentials data under the ‘HKLMSECURITYCache’ registry key. This key is only accessible to the SYSTEM account or processes running under the SYSTEM account. By default, the key contains a maximum of 10 unique user’s login data.
Multiple layers of encryption keys protect these cached entries. Data in these entries are retrieved/written by using the MSCache2 algorithm.
At a very high level, the MSCache2 algorithm performs the following steps to update the user’s password on the local cache.
- Obtain Windows System Key – This key is a 128-bit RC4 encryption key Windows uses to protect all secure information stored locally.
- Obtain the Local Security Authority key – This key is used to protect the lsass.exe process that is responsible for all domain authentication.
- Obtain the NL$KM key using the system key and LSA key – This key is used to encrypt the domain cached credentials.
- Use the NL$KM key to decrypt the cached registry entries and an entry containing the username, home directory, SID, domain, Profile path, hashed password, and other attributes corresponding to the user.
- New Password hash will be generated by several steps of hashing using an MD4 hashing algorithm, username being used as a salt for hashing.
- The resultant hash value is hashed using PKDF2 (Password-Based Key Derivation Function 2) hashing function with 10240 iterations
- Overwrite the cached password hash with the new password hash in the registry and encrypt it with the NL$KM key.
- Save the registry entry.
DPR implements this algorithm to update the user’s password in local credentials cache and provides the seamless connectivity for remote users that are not in the corporate network.
Now that we’ve explained it, here’s how to turn it on.
To enable this feature for all your employees in your organization, enable the ‘Off-Network Password Reset’ option on ‘Additional Configuration’ dialog box of the installer while pushing the tool on their desktops as displayed below.