From version 5.9 it is possible to configure a credential template that will allow you to synchronize the credential PIN with the Active Directory (AD) password when setting and/or changing the managed credential PIN. Follow the instructions in this article to show how you can set this up in your environment.
AD password synchronization will be activated for a credential only when:
- Credential is managed and in an active state in vSEC:CMS;
- Self-service is enabled for the credential;
- AD password synchronization is enabled in the credential template.
The vSEC:CMS Service account needs to be running under a dedicated Windows account that has permissions to change the AD password for a managed user credential. See the article Configure Dedicated Windows Service Account for details on how to set this up.
- The call requesting the AD password reset will contain a signed nonce which is signed using the authentication key assigned to the credential. This signature needs to be verified successfully by the vSEC:CMS service before it continues and performs an AD password reset;
- There is one exception: If vSEC:CMS service detects there is no authentication key for the credential, e.g. this would be the case for migrated credentials, the service will in this case inform the self-service client that no extra authentication is required;
- If a IDPrime .NET credential is being used then the vSEC:CMS User Self-Service (USS) application needs to have smart card access set to Use minidriver if possible;
- AD password synchronization can only be performed when changing or unblocking a PIN from the self-service client application;
- The AD setting Smart card is required for interactive logon should not be enabled for the user.
From Templates - Card Templates select an already created (presuming you have a credential templates already in place) template and client Edit.
Click the Edit link for Issue Card and click the Manage button for Primary Card PIN Options. Depending on the card type set for the managed credential (this was set in the General section for the credential template) you may see different configuration options. In this example we will presume that the card type is Minidriver (Generic minidriver card). Click the Add button.
Enter a name for the template and enable Update AD password when changing card PIN checkbox. Click Save to save and close.
Enable Apply PIN Policy checkbox and click Ok to save and close the dialog. Click Ok to save and close the template.
Self-Service needs to be enabled for the credential template. This needs to be configured from the General section of the template.
Now you can issue the credential as normal and when you then set/change/unblock the credential PIN using the vSEC:CMS User Self-Service client application the AD password will also be updated with whatever PIN was set on the credential.