For years, we've allowed users to change their AD passwords within the VPN. However, when Active Directory sends out the standard 14 day notification that your password is going to expire, it doesn't pass-thru the VPN to the end user. The account simply locks out and they perceive some sort of problem with the VPN when what really happened is their AD passwords expired. Is there a release that will pass Active Directory notifications down to the VPN client? It would be most helpful for our remote staff, which has grown 200% since the economy tanked.
You must use secure ldap to enable password change, and I believe this is an additional license. I have it setup on my 4000, but I did it so long ago I can't really give you a step by step. I recall installing certificate services and uploading a cert from the DC into the SA, but it's very vague. Check the KB.
http://support.microsoft.com/kb/321051 (uses a public cert, but I think you can use your Certificate Services instalation to do the same.)
Check out ...
And bear in mind, in the solution where it says 'Confg as an LDAP server' it should probably say 'Config as an LDAPS server' since ...
"When changing passwords in Active Directory using LDAP, the IVE automatically switches to LDAPS, even if LDAPS is not the configured LDAP method. To support LDAPS on the Active Directory server, you must install a valid SSL certificate into the server’s personal certificate store" (sry - can't find an easy link to that, but its hidden in the online help and I assume, the admin guide somewhere)
That's correct. LDAPS has to be used. It's kind of a gotcha. We have it set up on an SA 4000 with build
number 5.5 r2.1 and it doesn't work - doesn't prompt when password is soon to expire.
We have to upgrade to make it work. (surprise). We have another set up of SA 4000s in test and it works fine with the latest build number - 6.2 etc. Hardest thing to set up was the LDAP query...
Also, don't forget to enable preferences on the UI for the users as it gives the users the flexibility to change their own password if necessary. ( if you haven't already )
If you are using Windows Server, install Certificate Authority Services on the domain controller. This will allow for LDAPS to be used against the DC.