Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
70840
Views
0
Helpful
9
Replies

Password change using AnyConnect Secure Mobility Client

Fred Hunt
Level 1
Level 1

‎06-04-2013 01:19 PM - edited ‎02-21-2020 06:56 PM

                

Hi,

We are using an ASA 5520, running 8.4(3).  We have users running the AnyConnect Secure Mobility Client 3.1.02026.  I have the AnyConnect connection profile configured to authenticate users using LDAP over SSL.  I enabled the password management and am able to get password change prompts to appear in the AnyConnect client.  However, new passwords are rejected and changing passwords through that prompt does not work.  I'm not sure what the cause of the problem is, since LDAP over SSL is enabled and working, which is required for the password management feature.  I appreciate any assistance from others.

       

3 people had this problem
Labels:
0 Helpful
9 Replies 9

Fred Hunt
Level 1
Level 1

‎06-05-2013 02:01 PM

Some additional information that I realized I should have included.  LDAP over SSL is configured to authenticate with a Windows Server 2008 R2 domain controller that is configured as a read-only domain controller.  From what I have read about read-only domain controllers, password changes should still work because they are forwarded to a writeable domain controller.

Also, we were previously authenticating with writeable domain contollers, but the password management feature wasn't working.  In fact, the same behavior was occurring, password change notification appeared, but password could not be changed.  That is what prompted me to start looking further into proper configuration of the password management feature.  When I observed that LDAP over SSL is a requirement, I changed our configuration to use our read-only domain controller, which already had LDAP over SSL enabled.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-05-2013 03:10 PM

You should have account operator rights for a login-Dn account. Without that it won't let you reset the password. If you still face any issues, pls provide the debug ldap 255 from the asa along with show run aaa-server.

Sent from Cisco Technical Support Android App

~Jatin
0 Helpful

Fred Hunt
Level 1
Level 1
In response to Jatin Katyal

‎06-06-2013 07:27 AM

I added the login DN user account to the Account Operators group, but unfortunately that didn't make a difference.  I've attached the output of show run aaa-server and debug ldap 255.

15361648-debug ldap 255.txt.zip
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Fred Hunt

‎06-06-2013 08:16 AM

The ldap configuration is good on the ASA.

Checking password policy

[38949] Authentication successful for ga-unitymadtest to 192.168.118.5

[38949] now: Thu, 06 Jun 2013 14:13:20 GMT, lastset: Tue, 04 Jun 2013 17:11:29 GMT, delta=162111, maxage=1248204287 secs

[38949] expire in: 7613889 secs, 88 days

[38949] Password expires Mon, 02 Sep 2013 17:11:29 GMT

[38949] Password expiring in 88 day(s),threshold 90 days

!

!

!

[38950] New request Session, context 0x73c4b968, reqType = Modify Password

[38950] Fiber started

[38950] Creating LDAP context with uri=ldaps://192.168.118.5:636

[38950] Connect to LDAP server: ldaps://192.168.118.5:636, status = Successful

[38950] supportedLDAPVersion: value = 3

[38950] supportedLDAPVersion: value = 2

[38950] Binding as sa-asa

[38950] Performing Simple authentication for sa-asa to 192.168.118.5

[38950] LDAP Search:

        Base DN = [DC=erdman,DC=com]

        Filter  = [sAMAccountName=ga-unitymadtest]

        Scope   = [SUBTREE]

[38950] User DN = [CN=ga-UnityMADTEST,OU=Resource,OU=Accounts,OU=\#Production,DC=erdman,DC=com]

[38950] Talking to Active Directory server 192.168.118.5

[38950] Reading password policy for ga-unitymadtest, dn:CN=ga-UnityMADTEST,OU=Resource,OU=Accounts,OU=\#Production,DC=erdman,DC=com

[38950] Read bad password count 0

[38950] Modify Password for ga-unitymadtest successfully converted password to unicode

Above I can see that you go a prompt to change the password and it didn't work. What did you get on the vpn client side? Have you checked the LDAP event viewer logs for the corresponding hit.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Fred Hunt
Level 1
Level 1
In response to Jatin Katyal

‎06-06-2013 10:17 AM

Oddly, the message that I receive in the VPN client is:
Cannot complete password change because the password does not meet the password policy requirements.

I know that the password I am entering meets the requirements that we set and I've tried different passwords.

I enabled Basic level logging of LDAP Interface Events in the Directory Services event log.  The following entry corresponds with when I am logging in and prompted to change the password:

Source: ActiveDirectory_DomainService

Event ID: 1535

Internal event: The LDAP server returned an error.

Additional Data

Error value:

0000202B: RefErr: DSID-03153440, data 0, 1 access points

ref 1: 'MADDC02.erdman.com'

In one instance, this is the error that is logged:

Internal event: The LDAP server returned an error.

Additional Data

Error value:

80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I don't see anything that looks relevant logged in the Directory Services log on MADDC02, which is referenced above.

Something else about this crossed my mind.  The two RWDCs don't have LDAP over SSL enabled on them.  Since the RODC is passing through the password change to a RWDC, I wonder if this is a problem.  However, I would think that the password change passthru isn't still using LDAP over SSL.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Fred Hunt

‎06-06-2013 10:23 AM

that was what I thought initially.

Verifying an LDAPS connection

After a certificate is installed, follow these steps to verify             that LDAPS is enabled:

  1. Start the Active Directory Administration Tool                     (Ldp.exe).

    Note This program is installed in the Windows 2000 Support Tools.On the Connection menu, click Connect

.

  1. Type the name of the domain controller to which you want to connect.
  2. Type 636 as the port number.
  3. Click OK.

You may also test via a softerra browser and check whether LDAP server listen on port 636. This is one of the reliable method.

http://www.ldapbrowser.com/download.htm

How to enable LDAP over SSL with a third-party certification authority

http://support.microsoft.com/kb/321051

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Fred Hunt
Level 1
Level 1
In response to Jatin Katyal

‎06-06-2013 10:33 AM

When first troubleshooting the problem, I used ldp.exe to verify LDAP over SSL on the RODC.  LDAP over SSL is not enabled on the RWDCs. 

We don't have a need for LDAP over SSL on the other DCs for any other applications, so it's never been setup.  If it's the next best thing to try, I can work on getting that setup.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Fred Hunt

‎06-06-2013 10:49 AM

The server should be configured to communicate over ssl i.e port 636 so if it's not we need to follow the steps mentioned here

How to enable LDAP over SSL with a third-party certification authority

http://support.microsoft.com/kb/321051

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Fred Hunt
Level 1
Level 1
In response to Jatin Katyal

‎06-06-2013 11:02 AM

The server that the ASA is authenticating through does have LDAP over SSL enabled.  I will work on enabling it on the other servers in order to rule it out as an issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents