Introduction
When a user performs a password reset, the reset is done directly against the user directory (i.e Active Directory).
This can be a problem for remote users as this update only happens on the server and their locally cached credentials are not able to be updated.
This user then needs to connect to the corporate network in order for them to use their newly reset password.
This article shows how you can use the LogonBox SSPR Credentials Provider in combination with our LogonBox VPN product to make a temporary connection to your network temporarily so that your users can log into their laptops using their new password.
Previously, there was a requirement to separately launch the VPN client in order to update the locally cached credentials, but the Credentials Provider now has its own client integrated for this use-case.
Pre-requisites
For this confiuguration, you need already have working installs of both the LogonBox SSPR and LogonBox VPN products (version 2.4.5 or higher).
They should already be configured to the point where you are able to perform a password reset via the SSPR and be able to make a VPN connection with the VPN client.
The users you want to perform the cached credentials reset on must exist on both servers (i.e both connected to the same user directory).
You also need to have the Desktop Credentials Provider (version 5.2 or higher) installed on any system you wish to have the cached credentials reset.
How it works
A user will reset their password using the link provided on their login screen by the desktop credentials provider.
As the password reset completes, the credentials provider will fire up its integrated VPN client and connect to the LogonBox VPN server.
This connection is temporary and will disconnect within a few minutes, but this is enough time for the user to then log in with their new password, which of course then gets locally updated on the remote laptop for future logins.
Temporary VPN connection configuration
First, on the VPN product, we need to set up a new temporary peer definition.
Navigate to the VPN menu and click Create.
Give the new connection a name (e.g Temporary Connection, or Password Resets).
Change the Client type from LOGONBOX_VPN to TEMPORARY and change the Longevity to TIMED.
For Time to Live Unit, set this to MINUTES and set the Time to Live to however long you need (3 minutes is a suggested default).
You may choose to alter any of the other configuration on this new peer if you prefer, but the defaults should work okay.
For example, you may choose to not push the server subnet in the Routing tab and only add in the IP(s) of your AD domain controllers in Additional Routes.
In the Assignment tab, add in the users you want to be able to use this connection.
If you want all users to be allowed, you can just add in the Everyone Role.
Click Create to create the new configuration.
Link your SSPR to your VPN
Now move over to your SSPR instance and log in as the admin.
In the Resources section, navigate to Authentication Flows->Authentication Options->Oauth2.
Note: If you don't see this menu, you will need to install the feature.
Navigate to Updates, Features & Licensing and install OAuth2 Scopes from the System tab.
Ensure that Require Application Registration is turned Off and Issue Refresh for Unregistered Requests is turned On.
Now navigate to Authentication Flows->Authentication Options->Credential Provider and turn on Obtain temporary VPN connection.
This will expose a new setting below called VPN Provider URL.
Enter the URL for your VPN server here, then click Link.
Your browser will now redirect to your VPN server and display an oauth2 page.
Enter your VPN admin details here and click Next.
At the prompt to obtain temporary VPN connections, click Accept.
The page will redirect back to your SSPR and the configuration is now complete.
Credentials Provider install
Installation of the Desktop Credentials Provider is as documented in this article.
Example password reset
On a system where the credentials provider is installed, initiate a password reset by clicking on the Reset Password link.
Follow the prompts to reset your password as normal.
First, we enter a username.
Next, in this example, we enter answers to security questions.
Change the password when prompted.
Your password has been reset
You should now see the provider connecting to the VPN.
You should be back at the login prompt, you now have 3 minutes to perform a normal login with your new password before the VPN connection automatically closes in the background.