Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Configure the connection to an AD credential store

Log in to subscribe to topics and get notified when content changes.

Configure the connection to an AD credential store

You create a Password Reset credential store record to configure access to your Active Directory server while a user is changing or resetting a password. In addition to host connection information, you can specify the password hints that users should see, restrictions on password reuse, the allowed number of failed reset attempts, and other settings.

About this task

The Orchestration add-on installs the AD Credential Store type. The Password Reset Windows Application supports only AD Credential Store.

Procedure

  1. Navigate to Password Reset > Credential Stores and select Sample AD Credential Store to use as a template.
  2. Enter a unique and meaningful Name and Description and then fill in the form.
    Type Select AD Credential Store. A ServiceNow credential store type is a template that provides the required set of capabilities for a particular type of credential store. Credential stores inherit the functionality of the credential store type.
    Auto-generate password Specify a script include that generates a temporary password for use during the reset process.
    Note: If you select the Enforce history policy check box, then you must specify a value for Auto-generate password.
    Enforce history policy Appears only if you select a credential store Type of AD Credential Store or Local ServiceNow Instance. For information on configuring the setting for credential store types other than AD, see Configure the connection to a credential store for the Password Reset processes.

    Select the Enforce history policy check box to enforce both of the following password reset policies:

    • History policy (password reuse): Active Directory domains can be configured to include a history policy that ensures that users do not reuse passwords. For example, the history policy might be configured to not allow the user to reuse any of the previous 10 passwords when resetting a password.
    • Maximum number of reset attempts: You can configure the maximum number of attempts to reset a password. A user who fails to reset the password (by failing password policies or the history policy) the specified number of times is blocked.

    Follow this procedure to enforce the history policy that is configured for the AD credential store and to enforce the password policy:

    1. Select the Enforce history policy check box.
    2. In the Password Reset Credential Store Parameters related list, set the value of the max_reset_attempts parameter to the number of allowed attempts to change or reset the password. Attempts fail when password policies which are set up on the remote AD server. The max_reset_attempts setting applies only to Password Reset processes that use AD credential stores. The default value of 0 (zero) enables an unlimited number of reset attempts.
    Hostname Specify the URL or IP address of the credential store.
    User account lookup Specify the script include that maps the user ServiceNow platform ID to the user credential store ID.

    The default script, PwdDefaultUserAccountLookup, returns the user ServiceNow platform user name.

    Password rule hint Specify the text that appears on the password reset page to help the user to create a password that meets all requirements. The Password rule script enforces the requirements.
    Note: The Password Reset Windows Application supports newline characters in the hint. Other formatting is not supported (bold, underline, hyperlink, and so on).
    Password rule Specify the client script that validates the new password that the user enters. The script is invoked when the user enters a new password and clicks Password Reset. You can use the script to enforce password strength/complexity requirements.
    Enable Password Strength Select the check box to:
    • Display the text box for the Strength rule script so you can update the script.
    • Display the graphical Password Strength bar to the user while the user changes or resets the password.
    Note: The Password Reset Windows Application does not support Password Strength.
    Strength rule This text box appears only if you select Enable Password Strength.

    Specify the client script that calculates the strength/complexity of the password that the user enters. The script is invoked when the user begins to enter a new password during the reset process.

    Default settings:
    • Selected for local ServiceNow credential stores
    • Not selected for other credential stores
    Note:

    To guide the user during the reset process, the system displays a graphical bar labeled Password Strength under the New password field.

    Password strength indicator
    Note: The Password Reset Windows Application does not support Password Strength.
  3. Click Submit.
  4. On the domain controller, set Password Aging (MIN_PASSWORD_AGE) to zero.
  5. To enforce the history policy that is configured for the AD credential store, follow these steps:
    1. Open the Password Reset process that is associated with the credential store: Password Reset > Processes.
    2. On the Password Reset Details tab of the Password Reset Process form, clear the Auto-generate password check box and then save the process definition.
    3. On the domain controller, set the history policy to twice the desired number of passwords. For example, to enforce that the last 11 passwords are not repeated, set the history policy to 22.
      Note: To enforce the history policy that is configured for the AD credential store, the system auto-generates a new temporary password for each reset cycle. The system auto-generates the temporary password even though you cleared the Auto-generate password check box on the Password Reset Process form. Because the user immediately replaces the temporary password with a new password, two passwords are created for each reset cycle.
  6. To enforce the maximum number of attempts to reset the password: In the Password Reset Credential Store Parameters related list, set the value of the max_reset_attempts parameter to the number of allowed failed attempts. The default value of 0 (zero) enables an unlimited number of reset attempts.
    Note: The max_reset_attempts setting applies only to Password Reset processes that use AD credential stores.
  7. Click Submit.
  8. Test the connection to the credential store.
Feedback