Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WSAM and Windows password changes

SteveGrant_
New Contributor
‎06-04-2008 12:07:AM
‎06-04-2008 12:07:AM

WSAM and Windows password changes

Hi everyone,

I'm having difficulty determining the correct rules to allow my Windows users to be able to change their AD passwords using WSAM. Due to security requirements Network Connect cannot be used - which would have been easier to do this. Other applications such as IE and Outlook work fine down SAM, but not password changes.

If a user attempts to change their password using ALT-CTRL-DEL, they fill in the details and press enter. After a brief pause it reports an error saying that it cannot find a domain controller. Looking in the SAM log it looks like the machnie never even attempts to communicate, it looks like the traffic gets stuck locally. Have any of you managed to implement this? I am using IVE 5.5 at the moment.

Many thanks,

Steve

0 Kudos
4 REPLIES 4
msk_
Not applicable
‎06-04-2008 02:56:AM
‎06-04-2008 02:56:AM

Re: WSAM and Windows password changes

Hi Steve,

Try adding IP address of AD server on WSAM allowed server list and check if there is proper ACL configured for same.

Thanks

0 Kudos
SteveGrant_
New Contributor
‎06-04-2008 07:31:AM
‎06-04-2008 07:31:AM

Re: WSAM and Windows password changes

Hi there,

Thanks for replying. The servers are allowed via a subnet destination rule. I've being doing some packet tracing, and when a password is changed Windows needs to talk to a DC. It uses DNS to track this down, but the packet capture revealed that this was not going via SAM - it was trying to go direct. Obviously it couldn't as all of the DCs are down the SAM tunnel.

Orginally I thought it was LSASS.EXE being set to pass-through, but this is now explictly entered as an application be to SAM'd. This still doesn't work. Any other ideas?

Thanks,

Steve

0 Kudos
DeaconZ_
Frequent Contributor
‎03-30-2009 12:31:PM
‎03-30-2009 12:31:PM

Re: WSAM and Windows password changes

I wanted to bump this since I'm still having this problem the WSAM too.I've got an SA-4000 on 6.3.R2.

I can't get my client PC's to sync the user's password with AD in either direction. If a user changes it via the IVE page, Windows still wants the old password.

So why is the WSAM not directing some traffic even when the destinations are specified in policy?

Message Edited by DeaconZ on 03-30-2009 12:31 PM
Message Edited by DeaconZ on 03-30-2009 12:32 PM
0 Kudos
dcvers_
Regular Contributor
‎03-31-2009 06:55:AM
‎03-31-2009 06:55:AM

Re: WSAM and Windows password changes

I can't remember the details but when I looked into this there is some traffic that WSAM does not support. I think it is either a DNS request for a service record or a Connectionless LDAP (udp) request. It's only a few packets that don't get passed but it's enough to stop it working.

It might work in 6.4 as the What's new says it now has "Support for Windows Domain Authentication through Windows Secure Access Manager".

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.