How to change local user passwords with Kerberos via Ansible

Prev Next

This document provides instructions on how to configure and perform local user password changes on Windows devices using Kerberos authentication via Ansible in the Segura® Platform. This implementation removes NTLM dependency, aligning with Microsoft's security recommendations.

Attention

For the playbook to work correctly, you must follow the domain and hostname naming standards described in steps 2 and 3.

Requirements

  • Be an administrative user with permission to create/edit templates.
  • Have the credential and the device registered on the platform.

Step 1: Configure the execution template

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select Executions.
  2. In the side menu, select Templates control > Templates.
  3. Configure the Ansible template for the password change.
    1. If you already have an Ansible template for changing local Windows user passwords using NTLM, locate it and click Edit in the actions menu on the right.
    2. If you don’t have a template for this action, click Add in the upper-right corner.
  4. In the Execution template screen, complete the following fields:
    1. Name*: enter the template name.
    2. Status: enable to activate the template.
    3. Executor*: select Ansible.
    4. Execution type*: select Change password.
    5. Playbook: select Windows Kerberos change local user password.
    6. Inventory: select Windows-PSRP-Kerberos.
  5. Click Save.

A success message will be displayed and the created template will be listed in the report.

Step 2: Modify the device connectivity

Info

More information in How to configure a device.

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select PAM Core.
  2. In the side menu, select Devices > All devices.
  3. Find the desired device and click Edit in the actions menu on the right.
  4. In the Device screen, access the Information tab and complete or adjust the following fields:
    1. Device name*: enter the FQDN.
    2. IP, Hostname or management URL*: enter the FQDN.
  5. On the Connectivity tab, click Add to include a new connectivity.
    1. Connectivity type: select Windows RM.
    2. Port: enter 5985.
  6. Click Continue through all tabs, or access the Review tab and click Save at the bottom of the page.

A success message will be displayed and the device list will be presented.

Step 3: Configure the credential

Info

More information in How to configure a credential.

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select PAM Core.
  2. In the side menu, select Credentials > All credentials.
  3. Find the desired credential and click Edit in the actions menu on the right.
  4. In the Credential screen, complete or adjust the following fields:
    1. Domain: enter the domain entirely in uppercase.
    2. Additional information: enter the KDC hostname in the format {"KDC": "hostname"}.
  5. Click Continue through all tabs, or access the Review tab and click Save at the bottom of the page.

A success message will be displayed and the credentials list will be presented.

Step 4: Request the password change

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select Executions.
  2. In the side menu, select Password operations > All operations.
  3. In the upper-right corner, click Request password change.
  4. In the screen displayed, complete:
    1. Credential*: select a credential available for password change.
    2. Schedule date*: select the date and time for the schedule.
  5. Click Save.
Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved