Description of Issue
There are some reasons why password rotation may fail. This document will outline the most common issues with password rotation and how you can solve them.
Cause 1
IT Glue: API Key Password Access checkbox is not enabled.
Resolution
Make sure the API Key Password Access checkbox is enabled.
Cause 2
IT Glue: The IT Glue password entry associated for an account was deleted in IT Glue.
Resolution
Re-create the password entry in IT Glue and re-connect it to the Quickpass administrator or service account.
Cause 3
Service Account Rotation - Agent(s) are offline: If any deployed agent for a Quickpass customer is offline Service account rotation will not run.
Resolution
Make sure all agents are online before rotating the service account again. Look at the Agents menu to check if they are online and investigate any offline agent on the Windows server if necessary.
Cause 4
Active Directory: User cannot change password option is enabled.
Resolution
Un-check the User cannot change password option
.
Cause 5
Third-party password filter installed: If you have another tool installed in Active Directory that is used to detect when password changes occur or when passwords expire other than Microsoft AD Connect.
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Lsa
Resolution
Uninstall the third party password filter application. Microsoft AD Connect is supported. If unsure please email support at support@getquickpass.com and send a screen shot of the registry entry below.
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Lsa
Cause 6
Quickpass Windows Service: You have switched from the Local System account to another account that does not have permission to write to Active Directory.
Note: To switch from Local System to MSA, please see the KB Changing from Local System to Managed Service Account for the Quickpass Service – CyberQP (getquickpass.com)
Resolution
Ensure the Local System Account or MSA is set to Log on as. Please see KB below for more information. Using MSA for Agent on Domain Controllers - Resolving Inability to Start Service – CyberQP (getquickpass.com)
Cause 7
Quickpass Windows Service: The windows service is not running.
Resolution
Ensure the windows service is running. If you try to start the service and it fails to start or crashes please see the KB Using MSA for Agent on Domain Controllers - Resolving Inability to Start Service – CyberQP (getquickpass.com)
Cause 8
AD Password Policy: The minimum number of characters for the AD default domain password policy has been changed and it is now greater than the number of characters set for the Quickpass customer in Auto Rotate Settings.
Resolution
If you happen to change the default domain AD password policy password length check the Auto Rotate Settings for that customer and ensure the password length is at least the same number of characters or greater.
Cause 9
Windows Server Essentials and Legacy AD Connect Agent: Windows Server Essentials 2012, 2012 R2 and 2016 has a built in utility to sync Active Directory passwords to Office 365 that enforces a 16 character limit on Active Directory passwords. Also, AD Connect agent versions prior to May 2019 did the same until Microsoft increased the limit to 256 characters.
If you are using Passphrase option in Auto Rotate Settings passwords will be longer than 16 characters.
Resolution
Switch from passphrases to set character limit complex passwords in Auto Rotate Settings. Then run try the password rotation again after.
Cause 10
Office 365: The Quickpass application has not been added to the Privileged Authentication Administrator group for the Office 365 tenant in Azure Active Directory.
Resolution
Add the Quickpass application to the Privileged Authentication Administrator group in Azure Active Directory for the Office 365 tenant.
In the azure portal go to Azure Active Directory, Click on Roles and administrators. Type in Privileged Authentication Administrator in the Search box. Click on Privileged Authentication Administrator under Role.
In the Privileged Authentication Administrator - Assignments window click Add Assignments button.
Type "Quickpass" or "Cyber" (this will depend on when the Azure/Entra/M365 was linked to the Customer) in the Select box then select the Quickpass or CyberQP enterprise application entry and click the Add button.
You can now start to on-board Office 365 / Azure users in Quickpass. Password reset functionality must wait until propagation of these permissions have taken affect in Office 365 / Azure. This may take up to 15 mins to complete.
Cause 11
11. LAPS: If a system is currently or was previously managed by LAPS, the following failure message may occur: "Error: The account is controlled by external policy and cannot be modified".
Resolution
Check the settings of whatever system that manages LAPS (Intune, Azure, etc.) and verify that the machine receiving the rotation error is not being managed by LAPS.
In some cases, there may be a leftover registry key on the previously managed machine after disabling LAPS. Check the following registry key on the system receiving the failure. If this key is set to Enabled, toggle it to Disabled, restart the machine, and then re-attempt a password rotation.
Registry Key: Computer Configuration/Administrative Templates/LAPS/Enable local admin password management
NEXT STEPS:
Password Retry Mechanism - https://support.getquickpass.com/hc/en-us/articles/9907473165975-Event-Based-Password-Rotations-for-Workstations
Comments
0 comments
Please sign in to leave a comment.