Skip to main content

Active Directory Cached Credentials Update

Neil Shrestha-Birtch
  • Updated

Introduction

This article is designed to explain how Quickpass assists with updating cached credentials on a domain-joined workstation after a password reset. This will improve the chances of a successful login for end users who are unable to connect to the Active Directory environment.

Challenges that Quickpass Solves

The main limitation of cached credentials is the fact that they are only updated when the user logs in with an active connection to Active Directory.

If a user changes their account password but does not log out and log back in with an active connection to the domain network, the cache will not be updated. Additionally, since VPNs may not run at the login screen, the cache will never update, leading to confusion among users who might continue to use their old password on their workstation even after changing it via the self-serve app or by asking their helpdesk to update their AD password.

Here are a few real-world scenarios without Quickpass:

  • The end user is working from home and resets their password. They log out and try to get back in with the new password and the new password won't work.

  • The end user is at the office and resets their password. They shut down their machine and go home and try to get back in with the new password and the new password won't work.

  • The end user resets their password at the office or at home then shuts down and goes somewhere with no internet connection and the new password won't work.

Once a password reset is initiated, what Quickpass will do is have the locally installed agent immediately attempt to initiate an action that will cause the cached credentials on the local machine to update. If there is a connection back to the AD network or a VPN that has a line of sight to the domain controller that's running, the updating of the cached credentials will be successful. If it is not successful, the local agent will try again within 14 days of the password reset to initiate the action to update the cached credentials. 


Using the former problematic scenarios, here's how we can help now:

  • The end user is working from home while having a connection to the domain network and they reset their password. The Quickpass agent will now be triggered. They log out and try to get back in with the new password, the new password will now work.

  • The end user is at the office and resets their password. The Quickpass agent will now be triggered. They shut down their machine and go home and try to get back in with the new password, the new password will now work.

  • The end user resets their password at the office or at home while having a connection to the domain network. The Quickpass agent will now be triggered. The user shuts down and travels somewhere with no internet connection, the new password will now work.

Prerequisites

  • Have an active Quickpass account.
  • Have the Quickpass Agent installed on your AD Server (Domain Controller) and AD Workstation (Workstation joined to Traditional AD)

  • The end-user account is imported into the Quickpass dashboard.

  • The end-user computer has an active connection back to the domain controller either by:

    • A. Physically being on the work network containing the Domain Controller.
    • B. Or by having a software/hardware VPN network that gives them a network connection back to the Domain Controller.
  • The end-user has logged into the workstation after the installation of the Quickpass agent and the workstation is detected for the AD account

     

Supported servers and workstations will be listed in the section "Supported Servers and Workstations" of this article.

Scenario

When an end user's password is changed (via the self-service website, mobile app, QuickPass dashboard, or PSA integration), QuickPass will initiate an attempt to update the cached credentials on the end user's workstation. This will allow the end user to log in to their workstation using the new password without interruption.

 

Process

  1. Navigate to Customer > Your relevant Company > End-User Accounts.
  2. Use the "Computer Name" column on the list view to observe the latest AD Workstation detected for the user. This is the workstation where Quickpass will attempt the cache credentials update.



  3. Action a password reset via any of these methods explained earlier in this document

  4. Quickpass will automatically try to update the cache on the AD workstation. Refresh the "End-User Accounts" page and observe the status icon located in the "Cached Credentials Status" column.



  5. If you see a green checkmark appear for your account entry, then Quickpass was able to successfully update the cached credentials. The end user will now be able to use the new password even if they leave the contact of the AD network.

How retrying for a failed cached credential works

The QuickPass desktop agent will initiate an attempt to update the cached credentials within 14 days of a password update. If 14 days pass without a successful connection and update, a logged event called "Cached Credentials Update Failed" will be generated.

Please be advised, if the workstation agent comes back online after the 14-day period, no additional attempts to update the cached credentials will be made.


The Quickpass Validation Service Service

The Quickpass agent installed on the AD workstations will contain a specific service called the “Quickpass Validation Service". This service will be used to update the cached credentials on the local machine.

  • Name: Quickpass Validation Service
  • Description: This service is used to automatically validate and refresh cached credentials upon an AD account password update.

List of Cached Credentials Status

Here is a list of all available statuses you may see with this feature.

Name Icon

Success

Indicates the account has been signed into an AD workstation machine successfully. 

This also indicates the CyberQP agent was able to update the cached credentials.

Hovering over this icon will display information about when the update occurred.

 mceclip2.png
Waiting for Connection
Quickpass is attempting to update the local credentials of an AD workstation. A local cache update is in progress or is retrying. 		 mceclip3.png
Agent is not installed
Indicates the account has not signed into any AD workstation machine that has the Quickpass agent.		 mceclip4.png

 

Supported Servers and Workstations

AD Device Type

OS

Servers

Server Agents (Agent Roles: AD Server, AD Member)
Listed here 

  • Windows Server 2008 R2 (Basic legacy support. See Scripted Agent Installation for more details)

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

Workstations

Workstation Agents (Agent Roles: AD Workstation)

  • Windows 10 and 11


Considerations

  • If you are experiencing difficulties with having the desktop agent update the local cache, you may want to check to see if your endpoint protection tools are preventing the Quickpass Validation Service from running.

Related articles

Comments

0 comments

Article is closed for comments.