Change password with AD LDS

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Affected Versions: All

    By default, AD LDS requires that you perform password operations over a secure channel. If you try to reset a password over a non-secure channel (e.g., a default LDAP connection through LDP), you'll receive the error message: "Illegal modify operation. Some aspect of the modification is not permitted."

    To resolve this problem, you should use an LDAP over Secure Sockets Layer (SSL) connection (which will require a certificate in place) to secure the connection.

    Another option is to disable the secure-channel requirement so that you can reset the password over a non-secure, you should not use the option for your production environment. This method has security problems because the password can be read from the network.

    To disable the secure-channel requirement, perform steps below.

    1. Start the ADSI Edit tool and connect to the "Configuration partition" of the AD LDS instance.
    2. Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN=\{GUID of the AD LDS instance}.
    3. Right-click "CN=Directory Service" and select Properties.
    4. Double-click the dSHeuristics attribute.
    5. Set the value to 0000000001001 and click OK, Click OK to the CN=Directory Service properties box.
    0 out of 0 found this helpful



    Please sign in to leave a comment.