cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
5
Helpful
1
Replies

LDAPS with Azure MFA product...Password Expiration

mwkirk
Level 1
Level 1

So,

We are trying to setup Azure MFA with Cisco ASA version 9.1.  The product works fine but when a password expires the AnyConnect client will prompt for the password change but then will get a message stating the password does not meet the policy requirements.  The password should meet requirements but still receive it each time.

In the ASA logs  the error message is:

AAA authentication rejected: reason = password malformed : server = mfaserver : user=*****

In the MFA logs we see the message:

Observed password change request for user "user DN" , but request came on unbound Ldap connection

Failed to read from server DomainController network connection was aborted by the local system

We have tickets open with Microsoft and Cisco regarding the incident which both say it is the other's issue.  I can provide more details but wanted to see if anyone has seen an issue similar to this.

TIA

Mike

1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

Hi Mike,
The Login DN (the user used for the Binding operation, sometimes called  the Binding DN) must have Account Operators privileges for password management changes. I have seen this error in the past when the login DN account doesn't have sufficient privileges to push this change.

~ Jatin

~Jatin