ADSelfService Plus adds a Reset Password/Unlock Account link to the Windows login screen, enabling remote users to reset their passwords after verifying their identity via modern MFA methods like FIDO Passkeys or biometric authentication. Once their identity is verified, the cache credentials will be updated with the new password.

From ADSelfService Plus build 6503 and above, cached credentials can be updated without a VPN if your organization does not have VPN infrastructure or uses a VPN vendor not supported by ADSelfService Plus.

To learn how ADSelfService Plus updates the cached credentials without a VPN, refer to this detailed guide.

Follow the step-by-step instructions below to configure cached credential updates for remote users, without a VPN.

   Configuration steps 

1. Log into ADSelfService Plus with administrator credentials.

2. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del).

3. Click Windows Cached Credential Update.

4. Set the toggle button to Enable Cached Credentials Update.

5. Select Update cached credentials without a VPN client.

6. Click Save.

 Note:  Updating the cache without connecting to AD through a VPN might have a few limitations that affect how applications retrieve sensitive data using DPAPI.  It is recommended to use a VPN to update cached credentials. Learn more.