Skip to main content

Remote Password Cache Update

Status: Released Updated: 05 Feb 2026

What is Remote Password Cache Update

At its core, Remote Password Cache Update is a feature that allows a user's workstation to securely update its locally stored (cached) password after a password reset after using the MyPass Windows Client, even when the device is not directly connected to the corporate network. This allows users to reset passwords remotely, integrating seamlessly with on-premises Active Directory Domain Controllers via a VPN connection. The updated password cache enables effortless login with new credentials, eliminating the need to connect to corporate Wi-Fi for password updates.

Why use Remote Password Cache Update Feature

The Remote Password Cache Update feature of the MyPass Windows Client addresses critical challenges in enterprise password management. It eliminates the need for users to physically connect to corporate networks for password updates, saving time and reducing helpdesk workload. By enabling secure, remote password resets through a VPN connection, it ensures seamless access to updated credentials, enhancing user productivity.

Requirements

  • MyPass Windows Client: This feature requires an existing installation of the MyPass Windows Client. To streamline administrative efforts, we recommend deploying this feature concurrently with the MyPass Windows Client if it has not yet been installed. Alternatively, the Remote Password Cache Update feature can be bundled with the MyPass Windows Client in a single package upon the release of the next Windows Client version.
  • VPN Tooling: For seamless integration with the MyPass Windows Client, we recommend using an existing VPN tool with command-line interface (CLI) capabilities to facilitate secure remote connections. If your organization lacks a suitable VPN solution, we can collaborate with you to recommend one tailored to your specific environment.
  • Network Access: The VPN must enable connectivity to internal Domain Controllers (DCs), Read-Only Domain Controllers (RODCs) will also work fine, to support Kerberos authentication and password cache updates from workstations.

Configuration

  • Choosing VPN Mode: Decide between Partial VPN (activates VPN post-password reset from the Windows Client) or Full VPN (establishes a VPN tunnel once the Launch Panel is clicked) based on your network requirements and security policies.
Partial VPN Experience

Partial VPN: Right after the user resets their password through the Windows Client, a VPN tunnel connection is established in the background to securely sync your new password back to your device from the company network.

Logical Steps:

  1. When the Windows Client starts, it will open the Self-Service web-page and display it to the user.
  2. Once the user completes a Self-Service password reset and activates the Exit/Close button, the Windows Client checks if the password reset attempt was completed successfully.
  3. If and only if a password reset has been successfully carried out, the VPN tunnel will be established in the background.
  4. If the connection succeeds and the MyPass Windows Client can connect to a domain controller on-prem, the Password Cache is updated with the latest password from the domain.
  5. After a few seconds, the Windows Client is closed and the user can log in with the new password.
Full VPN Experience

Full VPN: A VPN tunnel connection is established immediately upon clicking the Windows Client Launch Panel. This functionality is particularly beneficial for on-premises implementations of MyPass or for restricting access to the Self-Service portal to approved locations, such as the corporate network.

Logical Steps:

  1. As soon as the Windows Client is activated the client will try to determine if at domain controller is -contactable. If no domain controller can be reached, and the settings in the config are set for Full VPN the VPN open script is executed.
  2. After having launched the VPN the FastPass server is contacted, the user carries out the reset
  3. When the user exits the client, the client checks if the user completed a password reset, if so, the local password cache is updated.
  4. The VPN closes
  • VPN Access for Authentication: To enable this feature, authentication is required to establish a secure VPN tunnel, typically via a service account configured within your VPN software. For cost efficiency, a single service account with Multi-Factor Authentication (MFA) disabled may be used, provided it is protected by a highly secure, complex password. Basic authentication is essential, as unattended MFA prompts cannot be processed. Alternatively, if all users are licensed for the VPN software and your VPN tool is configured with Active Directory Single Sign-On (SSO), their existing VPN credentials can be leveraged to establish the connection. This enables the workstation to communicate with the Domain Controller and update the locally cached password.
  • Training the VPN: MyPass will provide scripts configured for your VPN tool and endpoints to establish the connection at the appropriate time.
tip

Implement this feature before large-scale software deployment, as the configuration and script files must be included in the Windows Client installation package.