Troubleshooting password reset issues

Symptoms:

If any of the following conditions apply to your situation, this article is for you.

  • You change your password on identity.mines.edu and it seems to have saved successfully, but then you can't use your password on Windows lab computers.
  • You have different passwords for Windows lab computers and all other services.

The Solution:

You MUST create a brand new password.  This is absolutely essential.  If you think you are using a new password, you must have forgotten that you used in at one point in the past.  Please create something unlike anything you have used before, to avoid accidentally reusing an old password.

The Details:

The MultiPass system actually consists of several different accounts that are linked together.

ADIT Account (Windows Active Directory):

  • This account is hosted on our Windows domain controllers
  • This account is the only account for which the password actually expires after 6 months
  • This is the only account that cares that you can't re-use your last 7 passwords
  • This account is used when logging into Microsoft online products, such as portal.office.com

Linux Systems and Shibboleth Single Sign On (LDAP and Kerberos):

  • This account handles all single sign on logins for things like Canvas, Mymail, etc
  • This account is used to log in to campus linux computers
  • Passwords do not actually expire on this account
  • You can re-use old passwords on this account

Trailhead (Luminis):

  • This account is only used when you log in to Trailhead
  • Passwords do not actually expire on this account
  • You can re-use old passwords on this account

The Illusion of a MultiPass account (Trident):

  • Trident is the system that manages all three of these sub-accounts to give the illusion of a MultiPass, single account system
  • The customer facing portal into Trident is identity.mines.edu
  • Authentication into Trident is handled by the LDAP account
  • Communication between Trident and the other three systems is uni-directional.  When a password is changed in Trident, it it pushed out to the other three systems, but they cannot respond with a success or failure message

The bottom line: The result of all of the technical details mentioned above is that when Trident pushes a password change down to the other three accounts, any one of them can fail, and Trident will have no idea.  Further, the password will still be changed on the systems that did not fail.  This means that if you re-enter an old password, the password will be successfully pushed to the LDAP and Luminis systems, but it will fail on the Windows system.  Since the communication is uni-directional, Trident will say that the password change was successful, even through it was not successful on all systems.

Details

Article ID: 86541
Created
Tue 9/10/19 10:59 AM
Modified
Tue 9/10/19 11:13 AM