When allowing a user to unlock an account within the password reset realm, it doesn't reflect the actual status of their account (i.e. normal, or locked.) For example, if a users account IS LOCKED, the realm will display "Normal."
Likewise, if you enable "Advanced AD User Check" within the Data tab, it will tell them their account is locked, but will hard stop them right after they authenticate, and not allow them to unlock it.
This guide will explain how to set up 2 password reset realms, which will work together, to allow a user to see the status of their account and unlock it if need be.
- Have a password reset realm already configured, so we can copy realms using it as a template.
- If you don't have a password reset realm, you can follow the guide here to create one.
- Have a locked AD account to test with.
Okay, now that you've verified you meet all of the prerequisites, lets get started! First, make 2 copies of your original password reset realm, by going to the IdP admin page, and click Create Realms -> Create New From Existing.
For the sake of this article, we are going to call your two newly created realms Realm A and Realm B.
On Realm A, go to the Post Authentication tab, and select "Use Custom Redirect" from the Authenticated User Redirect drop down. In the "Redirect To" field, type /RealmB/AuthorizedPasswordReset.aspx . Keep in mind RealmB should not be the name of your realm, we are just using RealmB as an example here.
On Realm A, go to the Workflow tab. Under Workflow, set inline password change to Disabled. Under Custom Identity Consumer, set Receive Token to Send Token Only, and set Allow Transparent SSO to False. Make sure to click save!
On Realm A, go to the Data tab, under Membership Connection Settings, set Advanced AD User Check to False.
On Realm A, go to the Post Authentication Tab. Under Forms Auth/SSO Token, click View and Configure FormsAuth keys/SSO token. Under Machine Key, click Generate New Keys. Keep note of these keys, you will need to copy them to Realm B. Lastly, located on the same page, change Persistent to False, under Authentication Cookies.
On Realm B, go to the Data tab, under Membership Connection Settings, set Advanced AD User Check to True.
On Realm B, go to the Workflow tab. Under Custom Identity Consumer, set the Receive Token to Token. Set Allow Transparent SSO to True. Under Workflow, set Inline Password Change to False.
On Realm B, go to the Post Authentication Tab. Under Forms Auth/SSO Token, click View and Configure FormsAuth keys/SSO token. Copy over those Machine Keys you created on Realm A. Click Save.
Test to Ensure Functionality:
Go to Realm A. Login as the user who's AD account is locked.
If you set up everything correctly, it will authenticate you, redirect you to Realm B, and display that your account is locked.
Click Unlock, and you will see the status change to "Normal." Afterwards, verify in AD that the users' account is unlocked.