Secure Active Directory Password Rest From Your iPhone!

Yes, as long as your corporate environment has:

A VPN that is compatible with iPhone OS.
DNS, KRB5, and LDAP connectivity to your domain controllers over said VPN.

Yes, Active Directory is a Kerberos KDC and LDAP directory implementation that supports a number of secure bind operations such as NTLM, SSL, and SASL/GSSAPI. AD Help Desk performs SASL/GSSAPI (RFC-2222) bind operations using a Kerberos mechanism. If a secure bind cannot be accomplished, no other type of bind is attempted. All user data discovered by AD HelpDesk, or any modification made to user data in the directory passes over an authenticated and encrypted stream to an Active Directory domain controller on LDAP port 389. These streams are encrypted using 128 bit RC4 session keys, which is upgradable to AES 128 or AES 256 if Windows 2008 is being used.

Password resets requests bypass the LDAP database and travel directly to the Kerberos KDC, which listens on port 88 for ticket requests and password reset requests.

All of the technologies used by AD HelpDesk to access Active Directory are open and secure standards that have been implemented by Microsoft in Active Directory to allow interoperability with third party software.

No, the GSSAPI/SASL security mechanism allows encrypted traffic to travel over port 389. Try a packet trace if you still don't believe it.

No, you don't even have the option of saving your domain password on your iPhone OS device; however, you are saved from entering your domain password for every operation by the nature of the Kerberos security. When you provide your password you are issued a Kerberos "Ticket" that allows you to perform authenticated and secure domain operations for a period of time (default is generally 10 hours). You only ever need to re-enter your password when this ticket has expired. You can inspect these credentials from the main operations menu. The ticket detail view shows you just how long until you are going to need to enter your password again:

AD Help Desk will work with any version of Active Directory, but domain environments can vary significantly from installation to installation. So it is always wise to test your specific installation with the free "AD Help Desk Lite" to ensure compatibility before purchasing the full featured application.

No, you still have to be granted rights in the directory to be able to modify (unlock, password reset, or otherwise) someone's account. If don't already know that you have this right, then you won't be able to do it.

Frequently Asked Questions

Can Passwords Be Reset Over the Celluar Network?

Is Communication Between the iPhone and Domain Controller Secure?

Isn't LDAP traffic over port 389 always unencrypted?

Does AD Help Desk Save My Domain Password on My iPhone?

What Versions of Active Directory is AD Help Desk Compatible with?

Can Anyone With This App Reset Passwords?