I'm currently implementing AD authentication to our VPN gateways.
I'd prefer to have a direct communication between the concentrator and the domain controller, which is possible when Kerberos is being used.
On the other hand, we'll need the possibility to change expired AD passwords, which could be done using "Radius with Expiry".
For some reasons I can't activate IAS on the AD servers and I can't find a protocol that allows the users to alter and expired password and uses direct AD communication.
Do you have any suggestions, ideas?