Local Reset Extension: Resetting cached credentials
Bravura Pass uses the Local Reset Extension (LRE) to update cached network credentials on a user’s Windows client workstation after a successful web-based password reset. This addresses the issue of intruder lock-outs caused by workstations continuing to log into network resources using cached, no-longer-valid passwords.
Cached credentials on a user’s workstation
After a password change with a web-based password management system, the cached credentials on a user’s workstation may become unsynchronized with the user’s new domain password:
When a user logs into Windows, the workstation stores their domain credentials in a cache in memory.
When the user logs into other resources on the workstation (shares, printers, Outlook/Exchange mail boxes, IIS web sites), it first tries its cached domain password, and if this fails, it prompts the user to type the correct password.
If the user changes their domain password from the workstation there are no issues updating the local cache. On Windows for example, with the Ctrl-Alt-Delete process, Windows updates the local cache, and there is no problem.
If the Help desk, another workstation, or a web application changes the user’s password on the domain, then the workstation cache becomes unsynchronized with the new domain password. Subsequent attempts to access network resources from the workstation use the cached password, increment the user’s "failed login attempts" counter, and ultimately trigger an intruder lockout.
Windows services that use network domain credentials also validate against cached credentials. When cached credentials are unsynchronized, the user’s "failed login attempts" counter is incremented and an error is thrown that triggers a reauthentication prompt. If several services trigger at the same time, the reauthentication prompt would not have time to be shown as the user’s "failed login attempts" counter is incremented for each failure and an intruder lockout is triggered immediately.
The problem for remote users
When a remote user who is not connected to the domain network logs into their current workstation, the workstation uses cached domain credentials to authenticate the user. The user then connects to the internal network via a RAS or VPN connection and changes their password via the Bravura Pass web interface. Changing the password on the web interface does not update the cached domain credentials. This means, the user's cached workstation credentials would still be set to the old password even though their domain credentials have been updated to a new password.
Once a user’s cached and domain credentials conflict, they will be unable to log back into their workstation without first connecting to the domain. The remote user, once logged out, would need to connect to the domain through RAS or VPN before logging back into their workstation for their cached credentials to be updated. If RAS is configured to use the cached Windows password, the user will not be able to log into the RAS network and will be locked out of their workstation.
See Self Service Anywhere: Remote password reset for more information.
The Bravura Pass solution using Local Reset Extension
To eliminate these problems, Bravura Pass utilizes a Local Reset Extension that is compatible with Chrome, Edge Chromium and Firefox browsers. The Local Reset Extension silently updates the user’s password cache on the workstation after a web-based password change.
The Local Reset Extension:
Is signed by Bravura Security.
Works on Windows client versions 8 and newer for both 32-bit and 64-bit versions.
Works with Google Chrome, Microsoft Edge Chromium and Mozilla Firefox.
Where Local Reset Extension is used to update cached domain passwords, the user’s workstation must be on the network and be able to authenticate to the domain. This works for locally-attached users and users on a corporate VPN connection. Local Reset Extension cannot update cached passwords for users accessing Bravura Pass through a reverse web proxy from outside the corporate network.
It is recommended that, after users reset their cached password using Local Reset Extension, they then log out and then log back into the workstation in order to ensure network connectivity. The Change passwords (PSS) module displays a message after a password reset:
"If you were logged into your workstation, log out now. You must log in with your new password to ensure that your workstation does not try to use your old password to access network resources."
Business Case for Local Reset Extension
This use case provides a situational example that demonstrates the usefulness of the Local Reset Extension.
Abbie brings her Windows Workstation laptop from home to the corporate office.
When in the corporate office, the laptop connects to the corporate network and can communicate with the Active Directory domain.
Abbie logs into the Windows Workstation laptop with her current password A123 .
The Windows Workstation authenticates the password against the corporate Active Directory domain since the laptop is connected to the corporate network.
Abbie is now signed into the laptop.
Abbie realizes that she needs to change her password since it is about to expire.
Abbie opens a browser window and navigates to the company’s Bravura Pass instance URL.
Abbie logs in to the Front end (PSF) as abbiel with password A123 .
Abbie changes her password to B456 .
Abbie’s password has now been changed.
With Local Reset Extension installed, Abbie’s previously cached password on the Windows Workstation updates to match the new password.
Abbie signs out of the Windows workstation laptop at the end of the day.
Abbie still has work to do, so brings her laptop home.
Abbie’s laptop is no longer connected to the corporate network at home.
Abbie logs in to the Windows workstation laptop with the new password B456 .
The Windows workstation tries to authenticate Abbie’s password against the corporate Active Directory domain, but since it is not connected to the corporate network, it cannot reach AD for authentication. The Windows workstation next tries to authenticate Abbie against the stored Windows cache.
Since the Local Reset Extension updated that cache during the password change at work, the Windows workstation allows Abbie to log in.
When the Local Reset Extension is not installed, the Windows cache would have still been set to the old password A123 . This would mean after following the same steps in the Use Case, when Abbie attempted to log in using B456 at home, the Windows workstation would have denied her entry. The laptop would not be able to reach the AD domain for authentication and would try to authenticate against the Windows cache. The cached password A123 would not match the attempted B456 password, so the password authentication would fail. Abbie might think to call the Help Desk at this point, but even if the Help Desk performs a password reset, the laptop is not connected to the network domain and continues to attempt user authentication against the outdated cache.
If Abbie remembered her old A123 password at home, then she would be able to log in to the laptop with the old password since it would match the cached Windows password. However, due to complex password policies, it is often not the case that users remember their old password.
Note
When the Credential Provider tile is clicked, neither the Bravura Security browser extension or Native Extension are required for local password reset to work. In a use case where a user must use the Credential Provider tile for the initial login on a new laptop, it is not necessary to have the extension installed ahead of time.
Updating locally protected resources
The Local Reset Extension includes nplocalr.ocx, which is designed to update locally protected resources. It can be used to clear PGP WDE cache passwords so that the new password can be used on the next start-up of the PGP client.
See Hard Drive Encryption Systems in the Connector Pack documentation for information about integrating with PGP WDE encryption clients.
Configuring the Local Reset Extension
The Bravura Pass Local Reset Extension can be used on Windows client versions 8 and newer, with the following browsers:
Edge Chromium
Google Chrome
Firefox
Mac OS X and other operating systems are not supported.
The Local Reset Extension is comprised of the Bravura Security browser extension and a native extension:
The Bravura Security browser extension is installed on the browser
This extension can be found in the Chrome and Firefox web stores and will appear in the list of extensions for the browser once installed.
The native extension, shipped with Bravura Pass, is installed on the users' Windows client workstations
This extension can recognize users who log in with IDs in the <userid>@<domain> format as well as the standard Profile ID.
It is normally cached by the supported web browser, so it is generally only downloaded once.
This extension is installed using
browser-extension-win-x86.msifor Edge Chromium or Google Chrome, orfirefox-extension-win-x64.msi/firefox-extension-x86.msifor Firefox.
When the user's password is reset from Bravura Pass, it will do two things together:
Reset the password from target system configured to work with the extension.
Reset the cached credentials for the user on the workstation so that they can log in with the new password when not connected to the network.
Until both extensions are installed, the reset of the user's password on the target system itself could always succeed, but the reset for the cached credentials will not.
To configure the Local Reset Extension:
Configure Bravura Pass to use the Local Reset Extension plugin.
Install the browser and native extensions on each user's Windows client workstation.
Both the browser and native extensions can be installed with the following methods:
The end user manually installs the browser and/or native extension on their own Windows workstation while resetting their password using Bravura Pass.
An administrator manually installs the appropriate browser and/or native extension on each user's workstation.
An administrator automatically installs the browser and/or native extension on users' workstations using group policy.
See here for installation details:
Click below to view a demonstration:
Configure the Local Reset Extension plugin
The cgilocalr plugin updates local resources and runs commands after a web-based password change via Bravura Pass .
The generic control
pslocalr.ocxsilently updates the user’s Windows password cache. With this plugin the user may continue using domain resources without logging out and back into their workstation after a password change.The generic control
nplocalr.ocxis designed to update locally protected resources. It can be used to clear PGP WDE cache passwords so that the new password can be used on the next start-up of the PGP client.See Hard Drive Encryption Systems in the Connector Pack documentation for information about integrating with PGP WDE encryption clients.
hidgeneric.ocxis a generic control that can be used to determine the correct bitness of*localr.ocxto launch after a password changes in order to update cached passwords on a user’s workstation.
Note
32 bit and 64 bit versions of cgilocalr.ocx and nplocalr.ocx are available. The bitness to launch is determined from the operating system.
Usage
The cgilocalr plugin triggers local resource updates when a self-service password reset succeeds on a target system, as specified in cgilocalr.cfg.
To enable cgilocalr :
Click Manage the system > Modules > Change passwords (PSS).
Add
cgilocalr.exein the S STATUS EXT field.The field accepts a comma-delimited list for multiple plugins.
Click Update.
Requirements
The cgilocalr plugin requires a configuration file. The cgilocalr.cfg file in the samples\ directory includes example configurations for pslocalr and nplocalr. Copy the file to the \<instance>\script\ directory, then edit the configuration.
The generic control requires the following parameters for running arbitrary commands:
idUsed to identify the generic controlfilesDownload from Bravura Pass instance server’s directory wwwdocs/x86 or wwwdocs/x64 depending on the client workstation operating system’s bitness.program(optional) The program to run in the cgilocalr plugin.If left blank, rundll32.exe will be used.argumentsArguments or parameters to pass to the program orrundll32.exe.
Customization
You can customize the user interface text in the plugin-pslocalr.m4 file. The plugin’s result messages can also be modified in this M4 file. See Customizing skins for more information.
Example
The cgilocalr plugin uses the configuration file to specify the target system and AD domain for which passwords should be changed locally, where:
Each target system on which you want to enable the Local Reset must have an entry containing the target system ID.
targetid, control and logonDomain are case insensitive.
For Active Directory DN targets, the domain information is taken implicitly from the longid, and does not need to be explicitly specified by logonDomain, which is only used for legacy Active Directory target systems.
For example, a company has an Active Directory Domain Controller managing the domain OFFICE. A target system for this domain controller has already been added with a target system ID of INTERNAL-AD. The following script configures the Local Reset Extension for passwords changed using the web-based interface. The user must be logged onto a workstation that is a member of the domain OFFICE. When the user changes his password on INTERNAL-AD the plugin will immediately update the user’s local Windows password cache.
# NOTE: This example is for backwards compatibility only, use of the
# pslocalr control directly should be changed to use the generic
# control as described in Generic Control example below.
#
# cgilocalr plugin config file to use pslocalr
# KVGROUP-V2.0
"" "" = {
"targetid" "INTERNAL-AD" = {
"control" "pslocalr" = {
"protocol" = "2";
"attributes" "" = {
"logonDomain" = "OFFICE";
};
};
};
};or
#
# cgilocalr plugin config file to use generic control
# KVGROUP-V2.0
"" "" = {
"targetid" "INTERNAL-AD" = {
"control" "generic" = {
"id" = "pslocalr";
"arguments" = "ResetCachedPassword2 %HID_ENCRYPTED_DATA%";
"attributes" "" = {
"logonDomain" = "OFFICE";
};
};
};
};Furthermore, workstation lock down after successfully updating the user’s local Windows password cache also can be configured by adding "useLockWstn" = "true" to the config file using the generic control. For example:
"" "" = {
"targetid" "INTERNAL-AD" = {
"control" "generic" = {
"id" = "pslocalr";
"arguments" = "ResetCachedPassword2 %HID_ENCRYPTED_DATA%";
"attributes" "" = {
"logonDomain" = "OFFICE";
"useLockWstn" = "true";
};
};
};
};Testing
To test the correctness of the configuration file, attempt a password reset for one of the users on that system. If the syntax of the configuration file is invalid, the end user will not see any errors, but the server will log details about the parse error encountered:
Failed to parse file [C:\<path-to-instance>\script\cgilocalr.cfg]: [Line: 36, Pos: 14]: Parse error: expected '='"
See also
Configuration example: SSA Login Assistant with VPN includes an example that enables the Local Reset Extension to function using the Chrome web browser.
Install Local Reset Extension on Chrome or Edge Chromium
A Chrome Bravura Security browser extension as well as a native extension is required to reset a user’s password cache on a workstation when using either Chrome or Edge Chromium. A download link will be available to install the extensions if they have not been installed yet.
In cases where users are not able to install extensions on their web browsers, an organization's administrators would need to:
Force-install the extension for their users.
Google has some documentation on how to do this for Chrome:
The same install, deployment and use can be done for Microsoft’s EdgeChromium and other Chromium-based browsers.
Use a GPO or some other software deployment tool to install the native
browser-extension-win-x86.msiextension on the workstations. For an examplemsiexeccommand to use with automated deployment tools, see "Use a silent installer" in the Configure Login Assistant on local workstations example.
Manual install works only for normal user accounts that are allowed to download and install browser extensions. It will not work inside the Login Assistant’s Secure Kiosk Account (LA/SKA) which is triggered from the login screen’s Credential Provider.
To install the Bravura Security browser extension and native extension as an end user:
Reset a password using Bravura Pass in the Change passwords (PSS) module using Chrome or Edge Chromium.
After the password is reset successfully on the target system that is configured to use the local reset extension, an installation link is displayed: Local Reset Extension Status: Disconnected Install chrome extension .
At this stage the cached credential has not been updated.
Click Install chrome extension.
This opens a new browser tab to the Bravura Security Browser Extension in the Chrome web store.
Click Add to Chrome.
Click Add extension.
Click X to close the sync notification.
Close all Chrome or Edge Chromium browser windows.
Re-open the Chrome or Edge Chromium browser.
Reset a password using Bravura Pass in the Change passwords (PSS) module.
After the password is reset successfully on the target system that is configured to use the local reset extension, an installation link is displayed: Local Reset Extension Status: Disconnected Install native extension .
At this stage the cached credential has not been updated.
On the password reset result page, click on Install native extension .
Run the
browser-extension-win-x86.msifile. Alternatively, download and save the file onto your workstation and run the file.When running the installer on Windows as an administrator, you can choose to install the native extension for yourself or for all users on the workstation.
The next time you change domain passwords from the workstation with the local reset extension installed, the cached credential should also be updated.
Next:
Install Local Reset Extension on Firefox
A Bravura Security browser extension, as well as a native extension, is required to reset a user’s password cache on a workstation when using Firefox. A download link will be available to install the extensions if they have not been installed yet.
In cases where users are not able to install extensions on their web browsers, an organization's administrators would need to:
Force-install the extension for their users.
See Firefox documentation to learn how to do this:
https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows
Use a GPO or some other software deployment tool to install the native
firefox-extension-x64.msiorfirefox-extension-x86.msi.msiextension on the workstations. For an examplemsiexeccommand to use with automated deployment tools, see "Use a silent installer" in the Configure Login Assistant on local workstations example.
Manual install works only for normal user accounts that are allowed to download and install browser extensions. It will not work inside the Login Assistant’s Secure Kiosk Account (LA/SKA), which is triggered from the login screen’s Credential Provider.
To install the Bravura Security browser extension and native extension as an end user:
Reset a password using Bravura Pass in the Change passwords (PSS) module using Firefox.
After the password is reset successfully on the target system that is configured to use the local reset extension, an installation link is displayed: Local Reset Extension Status: Disconnected Install chrome extension.
At this stage the cached credential has not been updated.
Click Install firefox extension.
A prompt to allow and install the Bravura Security Browser Add-On is displayed in the browser.
Install the extension.
Close all Firefox browser windows.
Re-open the Firefox browser.
Reset a password using Bravura Pass in the Change passwords (PSS) module.
After the password is reset successfully on the target system that is configured to use the local reset extension, an installation link is displayed: Local Reset Extension Status: Disconnected Install native extension.
At this stage the cached credential has not been updated.
On the password reset result page, click on Install native extension .
If using a Windows 32-bit workstation, run the
firefox-extension-x86.msifile. If using a Windows 64-bit workstation, run thefirefox-extension-x64.msifile. Alternatively, download and save the file to your workstation, then run it.When running the installer on Windows as an administrator, you can choose to install the native extension for yourself or all users on the workstation.
The next time you change domain passwords from the workstation with the local reset extension installed, the cached credentials should also be updated.
Next:
Configure the Local Reset Extension using the Windows installer
This section shows you how to manually install the native extension using the Windows Installer.
See Installing add-on software for general requirements for using a client MSI installer, configuring ActiveX security, and instructions for automatic installation using a group policy.
The installers are included in the addon directory:
pslocalr.msipslocalr-x64.msiWindows 32-bit
Windows 64-bit
pslocalr.msi
pslocalr.msi, pslocalr-x64.msi
pslocalr-x64bit
pslocalr-x64.msi
Note
The pslocalr-x64.msi installer adds two copies of pslocalr.ocx and nplocalr.ocx on Windows 64-bit systems; one in the C:\Program Files directory for the 64-bit version, and another in the C:\Program Files (x86) directory for the 32-bit version. The registry settings are also duplicated for both the 32-bit and 64-bit locations. This is required in order for the Local Reset Extension to work with both the 32-bit and 64-bit versions of Internet Explorer.
To manually install the native extension:
Copy the
pslocalr.msiorpslocalr-x64.msiinstaller from the Bravura Pass server to a scratch directory (C:\temp) on the workstation, or to a publicly accessible share.Launch the
pslocalr.msiorpslocalr-x64.msiWindows Installer package.Click Next .
Read the Bravura Security Fabric license. Select I accept the terms in the License Agreement if you agree to the terms and click Next .
Click:
Complete to install the ActiveX component and configure users or groups to exclude from cached-credential resets.
or
Typical to install the ActiveX component only, without configuring users or groups to exclude from cached-credential resets.
If you selected Complete installation, enter the names of users and/or groups to exclude from cached-credential resets, separated by commas. These are users and groups whose passwords you do not want to be managed by Bravura Pass .
Do not include the domain as part of the excluded users and groups.
Click Next .
If the Groups to exclude field was configured then you must type the Username and Password of the help administrative account. You must specify the name of the primary domain controller that the help administrative account resides on as part of the Username.
The Local Reset Extension uses the help administrative account to verify that a user belongs to one of the excluded groups. This must be an existing non-administrative account with read access to group membership for all users on the primary domain.
Note
The help administrative account must not have the same username as Login Assistant’s help account.
Click Install to start the installation.
The installer begins copying files to your computer. The Installation Complete dialog appears after the Local Reset Extension has been successfully installed.
Click Finish to exit.
Excluding users and groups
The pslocalr.msi and pslocalr-x64.msi installers allow you to customize the installation by specifying users and groups that are to be excluded from cached-credential resets. You can also set this list manually, by modifying appropriate registry settings:
For Windows 32-bit or Windows 64-bit (64-bit pslocalr):
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\Local Reset Extension\EXCLUDED_USERS
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\Local Reset Extension\EXCLUDED_GROUPS
For Windows 64-bit (32-bit pslocalr):
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Bravura Security\Bravura Security Fabric\Local Reset Extension\EXCLUDED_USERS
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Bravura Security\Bravura Security Fabric\Local Reset Extension\EXCLUDED_GROUPS
Note
Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt.
Installing the Local Reset Extension automatically on a browser
Automatic download occurs when a target system is configured to use the local reset extension, and the user clicks Change password in the Change passwords (PSS) module. If the ActiveX control is already installed, and a newer version is installed on the server, the control is automatically upgraded.
To use the download method, users must have administrative access to install and register the ActiveX control. If administrative access to install is not available, you must install the ActiveX controls using the MSI installer.
To install the ActiveX control on a browser as an end user:
Reset a password using Bravura Pass in the Change passwords (PSS) module.
An installation link will appear after the password is successfully reset on the target system configured to use the local reset extension.
Click Install.
This opens a pop-up window for the ActiveX component installation.
Install and allow the plugin.
Test the Local Reset Extension
To test the installation and configuration, change a user's password and ensure a success message appears on the results page.
Log in to the Windows Workstation with the Local Reset Extension installed with a user’s domain account.
Open the browser.
Navigate to the Bravura Pass URL.
Log in to Bravura Pass as the user.
Click Change passwords .
On the page, enter a New password and Confirm the password .
Click Change passwords.
This will display the Results page that shows the addition: Local Reset Extension Status: Processed .
The user’s password has now been changed. With Local Reset Extension installed, their previously cached password on the Windows Workstation will also update to match the new password.