How to configure and troubleshoot the cached credentials update feature - ADSelfService Plus

How to configure and troubleshoot the cached credentials update feature

ManageEngine ADSelfService Plus' cached credentials update feature helps remote users reset their domain password from their login screens using the self-service password reset feature, and regain access to their Windows machines from outside the domain network. The feature employs a VPN to achieve this. This webpage elaborates on enabling the cached credentials update feature in ADSelfService Plus for four different VPN providers: Fortinet, Cisco IPSec, Cisco AnyConnect, and Windows Native VPN.

Note: If your VPN is protected with MFA, accessibility to the cached credentials update feature can change based on the authentication methods used. Here are the possible scenarios:
  • When MFA for VPN uses one-way authentication methods, like biometrics and push notification, users will be asked to authenticate using the configured methods after password reset. Once authentication is successful, the cached credentials update will be initiated.
  • When MFA for VPN uses challenge-based authentication methods, such as TOTP using Google Authenticator, the cached credentials update may not function. In this case, please reach out to the ADSelfService Plus support team for additional assistance in enabling the feature.


To enable the cached credentials update for client machines, ADSelfService Plus must be hosted online and be accessible through the internet. Refer to this guide for step-by-step instructions on how to host your ADSelfService Plus instance online.

Step 1: Configure the cached credentials update

  1. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux(Ctrl+Alt+Del).
  2. Click Updating Cached Credentials over VPN.
  3. Select Enable VPN settings.
  4. Select your VPN provider (Fortinet, Cisco IPSec, Cisco AnyConnect, or Windows Native VPN) from the drop-down list.
  5. Enter the VPN HostName/IP address and VPN port number in their respective fields.
  6. In case Fortinet, Cisco IPSec, or Cisco AnyConnect is used, enter the VPN Client Location along with the client file name. Here are the default locations of the VPN client files for the three providers:
    • Fortinet: C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNclient.exe
    • Cisco IPSec: C:\Program Files (x86)\Cisco\Cisco IPSec\vpnclient.exe
    • Cisco AnyConnect: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe
      Note: FortiSSLVPNclient.exe will not be available by default when FortiClient is installed in the client machine. It must be downloaded from the Fortinet support portal using your business account:
      • Login into
      • Navigate to Firmware Images > Download.
      • Select FortiClient.
      • Navigate to your FortiClient version installed on your client machines and download by clicking the link.
      • Extract the ZIP file which contains an SSL VPN Client command line that holds the FortiSSLVPNClient.exe file and three dependent dynamic link library (DLL) files.
      • Paste this EXE file and the three DLL files inside C:\Program Files (x86)\Fortinet\FortiClient in all the client machines.
  7. Click Save.
  8. How to configure and troubleshoot the cached credentials update feature

Step 2: Install the ADSelfService Plus login agent in client machines

To enable the cached credentials update in client machines, the ADSelfService Plus login agent must be installed on them. Upon installation, the login agent places the self-service password reset option on the machine's login screen, and enables the cached credentials update functionality. During subsequent self-service password reset attempts, the login agent sends the authentication information and new credentials to the ADSelfService Plus server, which in turn sends it to AD. Once the authentication and password reset is approved, AD relays the new password back to the client machine via the VPN and the machine's cached credentials are updated.

The login agent can be installed through the product portal, manually, via GPO, via Microsoft System Center Configuration Manager, and using third-party software. Here, we will be going through installation via the product portal.

Important: If the login agent was already installed in client machines before configuring the cached credentials update, this feature will be enabled for the client machines only if the GINA Customization Scheduler acts on them, or if the login agent is reinstalled.

ADSelfService Plus login agent installation via product portal

  1. In the ADSelfService Plus web portal, go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux installation.
  2. Click New Installation.
  3. Select a domain, and then the computers (on which you want to install the login agent).
  4. Click Install.

GINA Customization Scheduler configuration

  1. Navigate to the Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del).
  2. Click GINA/Mac/Linux Schedulers.
  3. Click on the edit icon ().

    How to configure and troubleshoot the cached credentials update feature

  4. In the window that opens, select the domain, OUs, or groups for which you want to deploy the client software.
  5. Set the Schedule Time and configure the Notification Frequency as daily, weekly, monthly, or hourly.
  6. Click Save.

ADSelfService Plus login agent reinstallation

  1. In the ADSelfService Plus web portal, go to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux installation.
  2. Go to Installed Machines.
  3. Select the computers on which the login agent is installed.
  4. Click Reinstall.


If the cached credentials are not updated for any client machine during self-service password reset after the feature is enabled, ensure the following:

  1. The login agent is installed on the client machine.
  2. The following registry entries are correctly updated after manual installation of the login agent:

    Go to HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus Client Software and ensure that the following registry entries are present:

    • IsTPVPNEnabled: The value must be t for all VPN providers except Windows Native VPN.
    • IsVPNEnabled: Value must be "t".
    • VPNClientLocation: The correct file path and filename of the VPN client agent must be present. For example:

      C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNclient.exe

  3. The client machine successfully connects to the VPN.

    This can be confirmed by executing the following commands in Command Prompt depending on the VPN provider used.

    Cisco IPSec:
    vpnclient.exe connect <profile name> user %user_name% pwd %password%

    Cisco AnyConnect:
    pncli.exe -s < %tempFile%
    vpncli.exe connect %servername%

    connect -s adsspvpn -h %servername%:%portno% -u %user_name%:%password%

    In case a custom VPN provider is used, the following command line must be used
    pstools..psexec.exe -s -i

  4. The AD domain controller is reachable through the VPN. This can be confirmed by pinging the server.
  5. For Windows Native VPN:
    • L2TP/IPSec with pre-shared key is the type of VPN used.
    • AD domain credentials are provided during VPN configuration.

        New to ADManager Plus?

          New to ADSelfService Plus?

            • Related Articles

            • Self-service password reset and account unlock for Chromebook devices

              The Chromebook is Google's low-cost alternative to traditional laptops. Unlike Windows, macOS, and Linux machines, a Chromebook runs on the Chrome OS. Users can login to their Chromebook using their AD domain credentials, if their device has been ...
            • How to enable self-update for custom AD attributes in ADSelfService Plus

              IT administrators might need to create custom attributes for a variety of reasons such as to route Active Directory based custom messages, application integration, or including specific flags on Active Directory objects. Before you can create a ...
            • How to integrate ServiceDesk Plus with ADSelfService Plus?

              Description: By integrating ManageEngine ServiceDesk Plus and ADSelfService Plus, you get to: Automate ticket creation in ServiceDesk Plus for every self-service operation performed by end users using ADSelfService Plus. This empowers help desk ...
            • ADSelfService Plus Text Customization

              The Language Customization feature in ADSelfService Plus lets you customize any text in the self-service password reset software that is displayed in the user interface. Tooltips, error messages, buttons, and text fields can be customized to suit ...
            • How to customize the ADSelfService Plus mobile app?

              Solution With the ADSelfService Plus mobile app, end users no longer have to be tied to the desk to manage their Active Directory domain password, unlock their account, and change their password from anywhere and at anytime without help desk ...