Open FriedrichWeinmann opened 4 years ago
Currently implemented and pending release: Reset-DMDomainCredential Allows targeted clearing of cached credentials, enabling workflows such as ADMF Credential Providers to clear their own creds without affecting other cached entries.
The is currently no mechanism to age credentials that get cached when calling
Set-DMDomainContext
(which happens automatically in every single test or invoke command).These are then later used for resilient cross-domain identity resolution in
Get-Principal
andConvert-Principal
.The problem here is: If the credentials change later on, all subsequent attempts to connect to the domain fail due to bad password. This is a common event when using sensitive Break Glass accounts.
Solution Ideas:
Should use specified credentials if specified, at least as a fallback
Temporary credentials would be cached (and used). If the workflow later resets the password, subsequent connections without a CredentialProvider would still be using the bad password.