SSLVPN Portal password management issue

johanhaara · ‎05-20-2013

Hello,

I'm trying to setup a SSLVPN Portal for our customer which will authenticate against Active Directory using LDAP over SSL and with the portal have the ability to change password if it has expired. I have managed to setup everything now except for the password reset which is giving me a headache.

This is the message that's presented by the portal when i try to change the password even though the same password works when i change it on a PC instead of using the portal.

"Cannot complete password change because the password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements."

And below is the output of ldap debug on the ASA5510 the Portal is running on.

[473] Session Start

[473] New request Session, context 0xadbe760c, reqType = Modify Password

[473] Fiber started

[473] Creating LDAP context with uri=ldaps://x.x.x.x:3269

[473] Connect to LDAP server: ldaps://x.x.x.x:3269, status = Successful

[473] supportedLDAPVersion: value = 3

[473] supportedLDAPVersion: value = 2

[473] Binding as cisco.sslvpn

[473] Performing Simple authentication for cisco.sslvpn to x.x.x.x

[473] LDAP Search:

Base DN = [DC=contoso,DC=com]

Filter = [userPrincipalName=test.user@contoso.com]

Scope = [SUBTREE]

[473] User DN = [CN=TestUser,OU=Users,DC=contoso,DC=com]

[473] Talking to Active Directory server x.x.x.x

[473] Reading password policy for test.user@contoso.com, dn:CN=TestUser,OU=Users,DC=contoso,DC=com

[473] Change Password for test.user@contoso.com successfully converted old password to unicode

[473] Change Password for test.user@contoso.com successfully converted new password to unicode

[473] (test.user@contoso.com) modify failed, code(53) Server is unwilling to perform

[473] Fiber exit Tx=819 bytes Rx=2303 bytes, status=-1

[473] Session End

Resetting 10.238.241.188's numtries

Anyone have any idea how to solve the issue?

Regards

Haara

Gustavo Medina · ‎05-20-2013

Hello,

Check if the login dn (cisco.sslvpn) has enough privileges to perform account change operations.

johanhaara · ‎05-20-2013

Thanks for the reply, yes I have verified that the account has the correct privileges and I've also tried with another account that has enterprise admin privileges to verify if that was an issue but I got the same result with that account.

Regards,
Haara

Sent from Cisco Technical Support iPhone App

Gustavo Medina · ‎05-20-2013

Hello,

I just took a look at the debugs you attached on your post and know what the problem is. The ASA requires the following LDAP attributes for Password management operations:

/* Active directory password management attributes */

#define AD_USER_ACCOUNT_CONTROL "userAccountControl"

#define AD_PWD_LAST_SET "pwdLastSet"

#define AD_ACCOUNT_EXPIRES "accountExpires"

#define AD_BAD_PWD_COUNT "badPwdCount"

#define AD_MAX_PWD_AGE "maxPwdAge"

#define AD_MIN_PWD_LENGTH "minPwdLength"

#define AD_PWD_PROPERTIES "pwdProperties"

But from the debugs I see you are using a Global Catalog Server and this server does not return these values.

http://msdn.microsoft.com/en-us/library/ms675090(v=VS.85).aspx

You will need to use Ldap over SSL with an MS AD.

Refer to CSCtq29583

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq29583

-Gustavo

Jatin Katyal · ‎05-20-2013

I do agree with Gustavo. If you have integrated the ASA with the GC so it may not work due to the presence of the internally found enhancement. I guess you are using port 3269 because of multi-domain enviornment or LDAP Referrals.

If you have no option to use port 636 then your best bet would be to use radius. With radius vpn users will be able to change the password but they won't see any notification prior to passoword expiry.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Gustavo Medina · ‎05-21-2013

Hello,

I see you rated this with 4 stars, is anything not clear?