This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CLE and SSPR in offline mode

Given a Client Login Extension (CLE) integration with SSPR, what happens if a user clicks on the forgotten password link while on the Internet without connection to the internal network and therefore without connection to the AD Domain?

It will change the password in SSPR and the password will be changed in the Domain, but the workstation will not know about the change until it connects to the internal network.
Or is CLE able to change the password in the local cache of the workstation?


José Luis

  • Hi!

    The CLE is merely a helper that launches a browser with the SSPR link opened. If you have no connection to SSPR, it does not work.

    I suggest having a DMZ SSPR instance (or available externally protected with NetIQ AccessManager or other means for example).

    The connection between SSPR and the AD domain does not matter for the external client usage. That's backend communication.


    Tor Harald Lothe

  • I must have expressed myself badly, since the case is just the opposite. The user has connection with SSPR but not with the AD.

    Therefore, he/she changes the password in SSPR (changes it in AD) but the workstation will not know that he has a new password in AD.

  • Oh - sorry! Perhaps I didn't read thoroughly either :) 

    To my knowledge there is no update of the password on the client itself after changing it in SSPR through the restricted browser - but I might be wrong on that one. Anyone?


    Tor Harald Lothe

  • Suggested Answer

    We use Advanced Authentication Credential Provider and CLE Credential provider on Windows. Both the AA and CLE Credential Provider as architected today are unable to update the locally cached credential for the Windows OS native Credential Provider, which needs direct line of sight to an AD Domain Controller to be achieved. There are competitor password self-service solutions that facilitate this off-prem ability to update the Windows CP local credential cache, and I've currently got an open ticket asking the AA/CLE team to consider building similar functionality into their product as well.

    Would certainly help if you opened an enhancement request/IDEAS portal request and/or support ticket asking for the same, to help demonstrate demand.

  • Thanks for your answer. I'll open a support ticket asking for it, as It doesn't make sense, in the current scenario with many users working remotely, if he is not connected to the VPN, he will use the "Forgotten Password" function and it won't help him to get access to his workstation.

  • Exactly same situation here, as I suspect is true at most every company. Even before the pandemic, remote work was on the rise. During the pandemic, "Work from Home" schedules instantly became an enormous reality IT everywhere has had and continues to have to support.

    Leads to tons of Service Desk calls every week as well as lost productivity and frustration for end-users.

  • Hi! Support will guide you here for product enhancements : you create an enhancement request I'll make sure to get you some votes :) 

  • Hi. Should it be an enhancement for SSPR or for CLE?  The problem is that CLE doesn't appear as a product.

  • Post in it SSPR and mention Advanced Authentication Credential Provider as well as CLE (as Elfstone mentioned). :)