cancel
Showing results for 
Search instead for 
Did you mean: 

Active Directory Password Change

Highlighted
Contributor

Active Directory Password Change

For years, we've allowed users to change their AD passwords within the VPN. However, when Active Directory sends out the standard 14 day notification that your password is going to expire, it doesn't pass-thru the VPN to the end user. The account simply locks out and they perceive some sort of problem with the VPN when what really happened is their AD passwords expired. Is there a release that will pass Active Directory notifications down to the VPN client? It would be most helpful for our remote staff, which has grown 200% since the economy tanked.

Thanks.

5 REPLIES 5
Highlighted
Contributor

Re: Active Directory Password Change

You must use secure ldap to enable password change, and I believe this is an additional license. I have it setup on my 4000, but I did it so long ago I can't really give you a step by step. I recall installing certificate services and uploading a cert from the DC into the SA, but it's very vague. Check the KB.

http://support.microsoft.com/kb/321051 (uses a public cert, but I think you can use your Certificate Services instalation to do the same.)

Highlighted
Contributor

Re: Active Directory Password Change

Note - I always use LDAP /w AD. There may be a different way of doing it with the AD auth option in the SA.
Highlighted
Occasional Contributor

Re: Active Directory Password Change

Check out ...

 

http://kb.pulsesecure.net/KB7896

 

And bear in mind, in the solution where it says 'Confg as an LDAP server' it should probably say 'Config as an LDAPS server' since ...

 

"When changing passwords in Active Directory using LDAP, the IVE automatically switches to LDAPS, even if LDAPS is not the configured LDAP method. To support LDAPS on the Active Directory server, you must install a valid SSL certificate into the server’s personal certificate store" (sry - can't find an easy link to that, but its hidden in the online help and I assume, the admin guide somewhere)

Message Edited by KB_Fan on 12-30-2008 06:51 AM
Highlighted
Occasional Contributor

Re: Active Directory Password Change

That's correct. LDAPS has to be used. It's kind of a gotcha. We have it set up on an SA 4000 with build

number 5.5 r2.1 and it doesn't work - doesn't prompt when password is soon to expire.

We have to upgrade to make it work. (surprise). We have another set up of SA 4000s in test and it works fine with the latest build number - 6.2 etc. Hardest thing to set up was the LDAP query...

Also, don't forget to enable preferences on the UI for the users as it gives the users the flexibility to change their own password if necessary. ( if you haven't already )

Message Edited by JW on 07-30-2008 03:56 PM
Highlighted
Super Contributor

Re: Active Directory Password Change

If you are using Windows Server, install Certificate Authority Services on the domain controller. This will allow for LDAPS to be used against the DC.