Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7181
Views
10
Helpful
2
Replies

Cannot change AD user password from ASA

Go to solution
tarekaljallad
Level 1
Level 1

‎11-12-2011 08:47 AM

ASA running 8.4. I have password-management enabled on the tunnel group, LDAP over SSL enabled, yet when I test by setting an account to require password change after next login, the New Password Required page loads (clientless) and allows new password to be entered. After hitting continue, it returns to the username login page with this message above the username field

"

Cannot complete password change because the password does not meet the password  policy requirements. Check the minimum password length, password complexity, and  password history requirements.

".

Yet I'm able to change the password at the same time from a workstation, so there is no gp policy that is denying the password change. We have it set to minimum days 0 and no complexity required. I am meeting the minimum length.

a debug output when I hit continue after entering new password:

[10068] Session Start

[10068] New request Session, context 0x74637d10, reqType = Modify Password

[10068] Fiber started

[10068] Creating LDAP context with uri=ldaps://192.168.102.15:636

[10068] Connect to LDAP server: ldaps://192.168.102.15:636, status = Successful

[10068] supportedLDAPVersion: value = 3

[10068] supportedLDAPVersion: value = 2

[10068] Binding as asauser

[10068] Performing Simple authentication for asauser to 192.168.102.15

[10068] LDAP Search:

        Base DN = [DC=subdomain,DC=company,DC=com]

        Filter  = [userPrincipalName=useraccount@company.com]

        Scope   = [SUBTREE]

[10068] User DN = [CN=useraccount,CN=Users,DC=subdomain,DC=company,DC=com]

[10068] Talking to Active Directory server 192.168.102.15

[10068] Reading password policy for useraccount@company.com, dn:CN=useraccount,CN=Users,DC=subdomain,DC=company,DC=com

[10068] Read bad password count 0

[10068] Modify Password for useraccount@company.com successfully converted password to unicode

[10068] Fiber exit Tx=759 bytes Rx=2959 bytes, status=-1

[10068] Session End

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-15-2011 03:02 PM

If "asauser" is not yet a member of the "account operators" group, add it to this group.

There is an enhancement request to make this work without special privileges, see :

CSCtq54856    ENH: Support for Password Management w/o LDAP Login DN Admin Privileges

hth

Herbert

EDIT:

Just to clarify further for those hitting this thread in search for a  solution to the same problem: the "asauser" in the example above is the  user that is configured in the ASA's LDAP settings:

aaa-server ldap protocol ldap

aaa-server ldap (inside) host 10.0.0.2

server-port 636

ldap-base-dn cn=users,dc=CISCOTEST,dc=COM

ldap-login-password *****

ldap-login-dn asauser

ldap-over-ssl enable

server-type microsoft

So only this user (the one defined with "ldap-login-dn") needs to be in the account opertators group, not all vpn users.

View solution in original post

2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-15-2011 03:02 PM

If "asauser" is not yet a member of the "account operators" group, add it to this group.

There is an enhancement request to make this work without special privileges, see :

CSCtq54856    ENH: Support for Password Management w/o LDAP Login DN Admin Privileges

hth

Herbert

EDIT:

Just to clarify further for those hitting this thread in search for a  solution to the same problem: the "asauser" in the example above is the  user that is configured in the ASA's LDAP settings:

aaa-server ldap protocol ldap

aaa-server ldap (inside) host 10.0.0.2

server-port 636

ldap-base-dn cn=users,dc=CISCOTEST,dc=COM

ldap-login-password *****

ldap-login-dn asauser

ldap-over-ssl enable

server-type microsoft

So only this user (the one defined with "ldap-login-dn") needs to be in the account opertators group, not all vpn users.

Go to solution
sandeep.rai1
Level 1
Level 1
In response to Herbert Baerten

‎11-23-2013 02:07 PM

Hi Herbert,

Ours is a Corporate one forest, one domain environment. Due to large company bureaucracy, it may not be possible that we are given Domain Admin or even Account Operators on entire domain.

We have delegated authority on each responsible OU.

I know its easy to just ask and get the group membership. Easier said than done.

Unless this enhancement request is implemented by Cisco, if we are able to bind using a delegated account in our OU, is that going to work?

Thanks,

Sandeep

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents