I'm having difficulty determining the correct rules to allow my Windows users to be able to change their AD passwords using WSAM. Due to security requirements Network Connect cannot be used - which would have been easier to do this. Other applications such as IE and Outlook work fine down SAM, but not password changes.
If a user attempts to change their password using ALT-CTRL-DEL, they fill in the details and press enter. After a brief pause it reports an error saying that it cannot find a domain controller. Looking in the SAM log it looks like the machnie never even attempts to communicate, it looks like the traffic gets stuck locally. Have any of you managed to implement this? I am using IVE 5.5 at the moment.
Try adding IP address of AD server on WSAM allowed server list and check if there is proper ACL configured for same.
Thanks for replying. The servers are allowed via a subnet destination rule. I've being doing some packet tracing, and when a password is changed Windows needs to talk to a DC. It uses DNS to track this down, but the packet capture revealed that this was not going via SAM - it was trying to go direct. Obviously it couldn't as all of the DCs are down the SAM tunnel.
Orginally I thought it was LSASS.EXE being set to pass-through, but this is now explictly entered as an application be to SAM'd. This still doesn't work. Any other ideas?
I wanted to bump this since I'm still having this problem the WSAM too.I've got an SA-4000 on 6.3.R2.
I can't get my client PC's to sync the user's password with AD in either direction. If a user changes it via the IVE page, Windows still wants the old password.
So why is the WSAM not directing some traffic even when the destinations are specified in policy?
I can't remember the details but when I looked into this there is some traffic that WSAM does not support. I think it is either a DNS request for a service record or a Connectionless LDAP (udp) request. It's only a few packets that don't get passed but it's enough to stop it working.
It might work in 6.4 as the What's new says it now has "Support for Windows Domain Authentication through Windows Secure Access Manager".