SecureAuth IdP Version affected: All
- Realm configuration is set to Enforce Password Change Requirements
- Active Directory Enforce password history is set to remember the user's last 3 passwords. The user performs multiple password resets and is able to reuse most recent passwords #2 and #3.
Using Enforce Password Change Requirements, the SecureAuth appliance actually makes a randomized password change in Active Directory BEFORE the user's actual password is reset. This effectively means the user password is changed twice for every one time they do a password reset.
For this example, if the desired password history to be remembered is 3, you would actually need to set this value in Active Directory to 6. This would account for 3 user password changes, which would also account for the 3 randomized password resets done by the appliance as part of the password reset process, for a total of 6.