Skip to main content

Remote Password Cache Update

Status: Draft Updated: 18 Aug 2025
Pending action

New article, needs full write-up

What is Remote Password Cache Update

At its core, Remote Password Cache Update is a feature that allows a user's workstation to securely update its locally stored (cached) password after a password reset after using the MyPass Windows Client, even when the device is not directly connected to the corporate network. This allows users to reset passwords remotely, integrating seamlessly with on-premises Active Directory Domain Controllers via a VPN connection. The updated password cache enables effortless login with new credentials, eliminating the need to connect to corporate Wi-Fi for password updates.

Why use Remote Password Cache Update Feature

The Remote Password Cache Update feature of the MyPass Windows Client addresses critical challenges in enterprise password management. It eliminates the need for users to physically connect to corporate networks for password updates, saving time and reducing HelpDesk workload. By enabling secure, remote password resets through a VPN connection, it ensures seamless access to updated credentials, enhancing user productivity.

Requirements

  • MyPass Windows Client: This feature requires an existing installation of the MyPass Windows Client. To streamline administrative efforts, we recommend deploying this feature concurrently with the MyPass Windows Client if it has not yet been installed. Alternatively, the Remote Password Cache Update feature can be bundled with the MyPass Windows Client in a single package upon the release of the next Windows Client version.
  • VPN Tooling: For seamless integration with the MyPass Windows Client, we recommend using an existing VPN tool with command-line interface (CLI) capabilities to facilitate secure remote connections. If your organization lacks a suitable VPN solution, we can collaborate with you to recommend one tailored to your specific environment.
  • Network Access: The VPN must enable connectivity to internal Domain Controllers (DCs), Read-Only Domain Controllers (RODCs) will also work fine, to support Kerberos authentication and password cache updates from workstations.

Configuration

  • Choosing VPN Mode: Decide between Partial VPN (activates VPN post-password reset from the Windows Client) or Full VPN (establishes a VPN tunnel once the Launch Panel is clicked) based on your network requirements and security policies.
Partial VPN Experience

Partial VPN: Right after the user resets their password through the Windows Client, a VPN tunnel connection is established in the background to securely sync your new password back to your device from the company network.

Logical Steps:

  1. When the Windows Client starts, it will open the Self-Service web-page and display it to the user.
  2. Once the user completes a Self-Service password reset and activates the Exit/Close button, the Windows Client checks if the password reset attempt was completed successfully.
  3. If and only if a password reset has been successfully carried out, the VPN tunnel will be established in the background.
  4. If the connection succeeds and the MyPass Windows Client can connect to a domain controller on-prem, the Password Cache is updated with the latest password from the domain.
  5. After a few seconds, the Windows Client is closed and the user can log in with the new password.
Full VPN Experience

Full VPN: A VPN tunnel connection is established immediately upon clicking the Windows Client Launch Panel. This functionality is particularly beneficial for on-premises implementations of MyPass or for restricting access to the Self-Service portal to approved locations, such as the corporate network.

Logical Steps:

  1. As soon as the Windows Client is activated the client will try to determine if at domain controller is -contactable. If no domain controller can be reached, and the settings in the config are set for Full VPN the VPN open script is executed.
  2. After having launched the VPN the FastPass server is contacted, the user carries out the reset
  3. When the user exits the client, the client checks if the user completed a password reset, if so, the local password cache is updated.
  4. The VPN closes
  • VPN Access for Authentication: To enable this feature, authentication is required to establish a secure VPN tunnel, typically via a service account configured within your VPN software. For cost efficiency, a single service account with Multi-Factor Authentication (MFA) disabled may be used, provided it is protected by a highly secure, complex password. Basic authentication is essential, as unattended MFA prompts cannot be processed. Alternatively, if all users are licensed for the VPN software and your VPN tool is configured with Active Directory Single Sign-On (SSO), their existing VPN credentials can be leveraged to establish the connection. This enables the workstation to communicate with the Domain Controller and update the locally cached password.
  • Training the VPN: We will work with your VPN team to teach the Windows Client to use the relevant credentials and VPN endpoints to establish a connection at your chose time to update the machine cached credentials. These script will be provided once tests are completed directly to you.
tip

It is advisable you to implement this feature before performing any large software distrobution to your audiences as these configuration and script files need to be placed within the Windows Client installation files.