PeterA.55388 (Customer) asked a question.
Hi Okta-ers,
We're currently using Delegated Auth with AD successfully, but are looking to implement Self Service Password recovery functionality.
I've followed the steps outlined here to grant our service account the necessary permissions to reset user passwords: https://help.okta.com/en/prev/Content/Topics/Directory/ad-agent-install.htm
The experience I am seeing during testing is as follows:
- Attempt a password reset
- Receive password reset email
- Answer security question
- Set new password
- Be prompted for my factor
- ---It is at this point that the AD account for my account is set to 'User must change password at next logon'---
- Be prompted to enter the password I have just set as the 'old password', and re-enter and confirm a new password
This is an awful user experience, and I hope it's not expected behaviour.
Does anyone have Self Service Password recovery setup and working on their tenant? Is there something outside of the documentation I am missing?
When our service account is added to 'Domain Admins', this functionality works as expected without a second password reset needed.
Thanks in advance,
Peter
Thank you for reaching out to Okta support today,
The enforcement and requirements for your AD mastered users come from your Active Directory.
The Active Directory policy settings in Okta should match your AD only to ensure the necessary prompts appear when a user is not adhering to the policy you have configured.
Your admins should be resetting AD passwords in AD, if that is what you've chosen for authentication.
If you're pushing passwords from Okta > AD, then they can send the end user a password reset link from the Okta admin console, or use the Okta API to reset the password directly.
For more, check out our documentation on Security Policies from the Help site. If you'd like to discuss in more detail, feel free to open a case with Okta support.