Can't get password expiry to work - ASA 5520 VPN and Active Directory

Unanswered Question
Jul 26th, 2010

Hi - I'm replacing an old VPN 3000 series concentrator with a 5520, and one of the main reason is so that we can have AD passwords expire.  I've gotten to the point where I login successfully, and if I set the AD account to "Change password on next logon", the VPN client prompts me to enter a new password.  But when I do it simply says "Authentication Failed" and I'm back at the client login window.  In the log I get this message:

AAA user authentication Rejected : reason = LDAP server is unwilling to modify password : server = x.x.x.x : user = me.test

I haven't been able to find anything that matches that reason for failure.  Hoping someone can help.

I did try to login and change password without going through VPN, and that works fine.  So - login through VPN is fine, change password when not going through VPN is fine, but trying to change password through VPN isn't working.  I've been stuck here for awhile.  Any help or guidance is greatly appreciated.  Thanks much.

Victor Magnani

College of Staten Island, CUNY

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mulatif Wed, 07/28/2010 - 11:04

You are using ldap-over-ssl to connect ASA to the AD ? This is a requirement.

If yes, then Is the LDAP Binding account atleast a member of  "Account Operator" group ? Perhaps make it a member of the Administrator group for testing.



vmagnanijr Thu, 07/29/2010 - 08:26

Hi - thanks for the response.  I didn't know that LDAP-over-SSL was a requirement.  I don't have that running.  Since setting up CA server qill require a reboot I'll have to wait till this weekend to make the change.  I'll let you know how I make out.


mulatif Thu, 07/29/2010 - 08:44


You don't need a CA server on the same AD Server to have SSL enabled on the Windows AD Server.

See this from Microsoft

After you have completed the above part then in ASA you need to configure "ldap-over-ssl enable" in the "aaa-server" group that you defined for LDAP.


vmagnanijr Wed, 08/11/2010 - 11:33

Sorry I didn't respond sooner - that did the trick, thanks!



This Discussion