diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index 2912a22411e78f8ae80c957ca82b98678750b5f4..3c00c84fb95bb1d2d6fd7b9d372be2fd255f458b 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -5,6 +5,7 @@ class PasswordsController < Devise::PasswordsController
 
   before_action :resource_from_email, only: [:create]
   before_action :check_password_authentication_available, only: [:create]
+  before_action :prevent_cas_reset, only: [:create]
   before_action :throttle_reset,      only: [:create]
 
   # rubocop: disable CodeReuse/ActiveRecord
@@ -55,6 +56,13 @@ def check_password_authentication_available
       alert: "Password authentication is unavailable."
   end
 
+  def prevent_cas_reset
+    return unless resource && resource.cas_user?
+
+    redirect_to after_sending_reset_password_instructions_path_for(resource_name),
+      alert: "Cannot reset password for CAS user."
+  end
+
   def throttle_reset
     return unless resource && resource.recently_sent_password_reset?
 
diff --git a/app/views/layouts/nav/sidebar/_profile.html.haml b/app/views/layouts/nav/sidebar/_profile.html.haml
index 69167edb1df2290aad529966a070ec98018b8dbf..96e10e4a21d1a09ceec64b162a752b44e17744ac 100644
--- a/app/views/layouts/nav/sidebar/_profile.html.haml
+++ b/app/views/layouts/nav/sidebar/_profile.html.haml
@@ -72,7 +72,7 @@
             = link_to profile_emails_path do
               %strong.fly-out-top-item-name
                 = _('Emails')
-      - if current_user.allow_password_authentication?
+      - if current_user.allow_password_authentication? && !current_user.cas_user?
         = nav_link(controller: :passwords) do
           = link_to edit_profile_password_path do
             .nav-icon-container