Allowing VPN users to change LDAP password before account expiration

Unanswered Question
Aug 14th, 2009
User Badges:

I have configured an ASA to authenticate remote access & SSL VPN to a Microsoft LDAP server using LDAPS. I have configured the LDAP server to enforce the user to change the password at next logon, however I want to enforce additional security to make the user change the password before the account expires on the Windows DC. The problem I have is that even though I set user account on the DC to expire and enforce "interactive logon; prompt user to change password before expiration", the user is never prompted when attempting to login via VPN within the days left to expiration. Can anyone help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 08/17/2009 - 06:26
User Badges:
  • Silver, 250 points or more

Have you configured the "password-management password-expire-in-days X" command under the tunnel group in question?

paultribe Thu, 08/27/2009 - 02:49
User Badges:

Apologies for the delay in my reply. In answer to your question, yes this was configured. I do now have a working solution except for one thing, the password hostory function does not work when enabled on the domain controller, users can change back to a password they have used previously. I am going to start a new thread regarding this issue, however if you know an answer then please let me know.

Actions

This Discussion