Showing results for 
Search instead for 
Did you mean: 

Allowing VPN users to change LDAP password before account expiration


I have configured an ASA to authenticate remote access & SSL VPN to a Microsoft LDAP server using LDAPS. I have configured the LDAP server to enforce the user to change the password at next logon, however I want to enforce additional security to make the user change the password before the account expires on the Windows DC. The problem I have is that even though I set user account on the DC to expire and enforce "interactive logon; prompt user to change password before expiration", the user is never prompted when attempting to login via VPN within the days left to expiration. Can anyone help.

2 Replies 2

Todd Pula
Rising star
Rising star

Have you configured the "password-management password-expire-in-days X" command under the tunnel group in question?

Apologies for the delay in my reply. In answer to your question, yes this was configured. I do now have a working solution except for one thing, the password hostory function does not work when enabled on the domain controller, users can change back to a password they have used previously. I am going to start a new thread regarding this issue, however if you know an answer then please let me know.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers