Cached credentials on a user’s workstation
After a password change with a web-based password management system, the cached credentials on a user’s workstation may become unsynchronized with the user’s new domain password:
When a user logs into Windows, the workstation stores their domain credentials in a cache in memory.
When the user logs into other resources on the workstation (shares, printers, Outlook/Exchange mail boxes, IIS web sites), it first tries its cached domain password, and if this fails, it prompts the user to type the correct password.
If the user changes their domain password from the workstation there are no issues updating the local cache. On Windows for example, with the Ctrl-Alt-Delete process, Windows updates the local cache, and there is no problem.
If the Help desk, another workstation, or a web application changes the user’s password on the domain, then the workstation cache becomes unsynchronized with the new domain password. Subsequent attempts to access network resources from the workstation use the cached password, increment the user’s "failed login attempts" counter, and ultimately trigger an intruder lockout.
Windows services that use network domain credentials also validate against cached credentials. When cached credentials are unsynchronized, the user’s "failed login attempts" counter is incremented and an error is thrown that triggers a reauthentication prompt. If several services trigger at the same time, the reauthentication prompt would not have time to be shown as the user’s "failed login attempts" counter is incremented for each failure and an intruder lockout is triggered immediately.
The problem for remote users
When a remote user who is not connected to the domain network logs into their current workstation, the workstation uses cached domain credentials to authenticate the user. The user then connects to the internal network using a RAS or VPN connection and changes their password using the Bravura Pass web interface. Changing the password on the web interface does not update the cached domain credentials. This means, the user's cached workstation credentials would still be set to the old password even though their domain credentials have been updated to a new password.
Once a user’s cached and domain credentials conflict, they will be unable to log back into their workstation without first connecting to the domain. The remote user, once logged out, would need to connect to the domain through RAS or VPN before logging back into their workstation for their cached credentials to be updated. If RAS is configured to use the cached Windows password, the user will not be able to log into the RAS network and will be locked out of their workstation.
See Self-Service Anywhere: Reset forgotten, cached passwords while away from the office for more information.
The Bravura Pass solution using Local Reset Extension
To eliminate these problems, Bravura Pass utilizes a Local Reset Extension that is compatible with Chrome, Edge Chromium and Firefox browsers. The Local Reset Extension silently updates the user’s password cache on the workstation after a web-based password change.
Local Reset Extension:
Is signed by Bravura Security.
Works on Windows client versions 8 and newer for both 32-bit and 64-bit versions.
Works with Google Chrome, Microsoft Edge Chromium and Mozilla Firefox.
The Bravura Security Browser Extension is required to be installed on the browser.
This extension can be found in the Chrome and Firefox web stores and will appear in the list of extensions for the browser once installed.
Includes a native extension installed on the users' Windows client workstations that:
Is able to recognize users who log in with IDs in the <userid>@<domain> format as well as the standard Profile ID.
Is normally cached by the supported web browser, so is generally only downloaded once.
This extension is installed using browser-extension-win-x86.msi for Edge Chromium or Google Chrome, or firefox-extension-win-x64.msi / firefox-extension-x86.msi for Firefox.
Where Local Reset Extension is used to update cached domain passwords, the user’s workstation must be on the network and be able to authenticate to the domain. This works for locally-attached users and users on a corporate VPN connection. Local Reset Extension cannot update cached passwords for users accessing Bravura Pass through a reverse web proxy from outside the corporate network.
It is recommended that, after users reset their cached password using Local Reset Extension, they then log out and then log back into the workstation in order to ensure network connectivity. The Change passwords (PSS) module displays a message after a password reset:
"If you were logged into your workstation, log out now. You must log in with your new password to ensure that your workstation does not try to use your old password to access network resources."
Business Case for Local Reset Extension
This use case provides a situational example that demonstrates the usefulness of the Local Reset Extension.
Abbie brings her Windows Workstation laptop from home to the corporate office.
When in the corporate office, the laptop connects to the corporate network and can communicate with the Active Directory domain.
Abbie logs into the Windows Workstation laptop with her current password A123 .
The Windows Workstation authenticates the password against the corporate Active Directory domain since the laptop is connected to the corporate network.
Abbie is now signed into the laptop.
Abbie realizes that she needs to change her password since it is about to expire.
Abbie opens a browser window and navigates to the company’s Bravura Pass instance URL.
Abbie logs in to the Front end (PSF) as abbiel with password A123 .
Abbie changes her password to B456 .
Abbie’s password has now been changed.
With Local Reset Extension installed, Abbie’s previously cached password on the Windows Workstation updates to match the new password.
Abbie signs out of the Windows workstation laptop at the end of the day.
Abbie still has work to do, so brings her laptop home.
Abbie’s laptop is no longer connected to the corporate network at home.
Abbie logs in to the Windows workstation laptop with the new password B456 .
The Windows workstation tries to authenticate Abbie’s password against the corporate Active Directory domain, but since it is not connected to the corporate network, it cannot reach AD for authentication. The Windows workstation next tries to authenticate Abbie against the stored Windows cache.
Since the Local Reset Extension updated that cache during the password change at work, the Windows workstation allows Abbie to log in.
When the Local Reset Extension is not installed, the Windows cache would have still been set to the old password A123 . This would mean after following the same steps in the Use Case, when Abbie attempted to log in using B456 at home, the Windows workstation would have denied her entry. The laptop would not be able to reach the AD domain for authentication and would try to authenticate against the Windows cache. The cached password A123 would not match the attempted B456 password, so the password authentication would fail. Abbie might think to call the Help Desk at this point, but even if the Help Desk performs a password reset, the laptop is not connected to the network domain and continues to attempt user authentication against the outdated cache.
If Abbie remembered her old A123 password at home, then she would be able to log in to the laptop with the old password since it would match the cached Windows password. However, due to complex password policies, it is often not the case that users remember their old password.
Updating locally protected resources
The Local Reset Extension includes nplocalr.ocx, which is designed to update locally protected resources. It can be used to clear PGP WDE cache passwords so that the new password can be used on the next start-up of the PGP client.
See Hard Drive Encryption Systems in the Connector Pack documentation for information about integrating with PGP WDE encryption clients.