ACS 5.1 with Outlook Web Access

bradleyordner · ‎06-27-2011

Hi Everyone,

I have a weird issue which i am troubleshooting. I just wanted to see if anyone had a different view on this.....

I have an AD User, lets call them work\auser and there password just expired, so next logon to the domain they need to change there password.

They decide while at home to connect to Outlook Web Access, which authenticates to via ACS 5.1 to AD, when they try and connect they are denied with the following message in ACS -

24407 User authentication against Active Directory failed since user is required to change his password

: Authentication failed

ACS also says this as resolution -

Check the password expiry under Account options in the properties of an external database user. If the password is expired and the Enable Change Password is turned on in the Users and Identity Stores: External Identity Stores > Active Directory page, then the password will be changed.

Now, our OWA is not configured to allow password resets, so they must call in to have there password reset, or they can connect via VPN and our ASA allows them to change there password as configured under Identity Stores > Active Directory > Enable Password Change

This VPN password change is successful although OWA still will not work. The only way to fix it is to select passwsord does not expire within AD. Let it replicate, then de-select password does not expire and let it replicate.

This is pointing to a OWA issue in my opinion, although ACS is somehow involved, is it possible that ACS caches authentication, or because OWA does not allow password resets, it keeps responding with user required to change his password?

Any thoughts or different ways to look at this from a troubleshooting perspective would be greatly appreciated!

Thanks

jrabinow · ‎06-27-2011

Do you have any patches installed.

i think you may be encountering the following issue:

CSCtd99822: AD users with expired passwords fail authentication

Description of the issue from the bug is as follows:

1. Create a user account, set the password lifetime to be short, wait for the password to expire

2. They try to authenticate with the expired password.

3. ACS 5.1 does an AD lookup and finds the password is expired.

4. Manually reset the password.

5. Attempt to authenticate.

6. ACS 5.1 still sees their account/password as expired. 1.

This issue is solved in Cumulative patch 5.1.0.44.2

If the patch is relevant you may decide to download and install the latest 5.1 patch: 5.1.0.44.6

The patch can be downloaded from CCO

bradleyordner · ‎06-27-2011

Thanks, I will have a look and see if I have any patches installed.

bradleyordner · ‎06-27-2011

mmm seems I have lost my CLi password!!!

You wouldn't know a password recovery process would you? It is on VMWare :-)

Thanks

Brad

jrabinow · ‎06-27-2011

The following is the procedure I am familiar with:

Resetting the Administrator Password

If you are not able to log in to the system due to loss of administrator password, you can use the ACS 5.1 Recovery DVD to reset the administrator password.

To reset the administrator password:

Step 1 Power up the appliance.

Step 2 Insert the ACS 5.1 Recovery DVD.

The console displays:

Welcome to Cisco Secure ACS 5.1 Recovery - CSACS 1121

To boot from hard disk press

Available boot options:

[1] Cisco Secure ACS 5.1 Installation (Keyboard/Monitor)

[2] Cisco Secure ACS 5.1 Installation (Serial Console)

[3] Reset Administrator Password (Keyboard/Monitor)

[4] Reset Administrator Password (Serial Console)

Boot from hard disk

Please enter boot option and press .

boot:

Step 3 To reset the administrator password, at the system prompt, enter 3 if you are using a keyboard and video monitor, or enter 4 if you are using a serial console port.

bradleyordner · ‎06-27-2011

Thank you Sir!

bradleyordner · ‎06-28-2011

Last question....where can I get the Recovery CD, can I download it from Cisco?

jrabinow · ‎06-29-2011

I am not able to find an external link to download this CD. Suggest to check with account team or similar