Hi everyone,
We are currently using Jamf Connect integrated with Entra ID, and our environment is configured to use Pass-through Authentication (PTA). This means user passwords are validated directly against our on-premises Active Directory (AD).
The issue:
When a user's AD password expires and they are logged out of the system, they essentially become locked out. Jamf Connect prompts for login, but since the password is expired, the user is required to change it. However, password change fails with the following error:
Entra ID error 120013
"The user's Active Directory password has expired. Reset the user's password in your on-premises Active Directory to resolve the issue or have the user use the Self Service Password Reset (SSPR) functionality if it is enabled."
This means users can’t change the password from the Jamf Connect login window. They can only reset it using an external method connected directly to AD.
What we tried:
We implemented a custom SSPR portal that connects directly to AD, and it works correctly. I was hoping to provide a link to this password reset page in the Jamf Connect login window.
I found the HelpURL configuration option and added the password reset link there. This displays a small help icon in the top-right corner of the login window, and users can click it to access the password reset page — so far, so good.
However, I also saw the ChangePasswordURL option, which seems more appropriate in this context, but I don’t understand how it works. I configured it, but I don’t see any additional UI or direct link to reset the password, as I expected.
Questions:
-
Is my understanding of ChangePasswordURL vs HelpURL correct?
-
Are there any best practices when using Entra ID with PTA in combination with Jamf Connect?
-
Are there any workarounds or better ways to handle password expiry scenarios like this?
-
Would it be better to switch to Password Hash Synchronization (PHS) instead of PTA in this type of setup?
