Anyconnect VPN is not changing AD Password

mike.szewczyk · ‎02-25-2014

I believe I have everything configured correctly. But clearly I'm missing something. Users can authenticate and that all works. If I expire a password, it recognizes that it is expired. It recognizes that part of our password policy requires 7 characters. I enter a new password that fits the policy and I get the error message:

"Cannot complete password change because the password does not meet the password policy requirements"

Here is a debug of the session when I attempt to change the password.

[62865] Session Start

[62865] New request Session, context 0xabb4ddd8, reqType = Modify Password

[62865] Fiber started

[62865] Creating LDAP context with uri=ldaps://192.168.8.1:636

[62865] Connect to LDAP server: ldaps://192.168.8.1:636, status = Successful

[62865] supportedLDAPVersion: value = 3

[62865] supportedLDAPVersion: value = 2

[62865] Binding as LDAP User

[62865] Performing Simple authentication for LDAP User to 192.168.8.1

[62865] LDAP Search:

Base DN = [ou=People, dc=<redacted>, dc=com]

Filter = [sAMAccountName=<redacted>]

Scope = [SUBTREE]

[62865] User DN = [CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com]

[62865] Talking to Active Directory server 192.168.8.1

[62865] Reading password policy for <redacted>, dn:CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com

[62865] Read bad password count 0

[62865] Fiber exit Tx=737 bytes Rx=6827 bytes, status=-1

[62865] Session End

I redacted the user account and domain information.

Javier Portuguez · ‎02-25-2014

Hi Mike,

Please make sure that the ldap-login (AD user) used to bind the connection to the DB belongs to the

Account Operators group in AD or that that such user has the enough rights to change the password.

HTH.

mike.szewczyk · ‎02-25-2014

Yes, that is one of the first things I did.

A couple of common remedies that I've found with AD Password change problems are either not having Secure LDAP set up correctly, or the LDAP user not being in the correct group.

The LDAP user is in the Account Operators Active Directory security group.

Javier Portuguez · ‎02-25-2014

Do you see any log on AD?

mike.szewczyk · ‎02-25-2014

In Event Viewer on the domain controller, under security, I only see that the logon has failed.

Failure Information:

Failure Reason: The specified account's password has expired.

Status: 0xc0000224

Sub Status: 0x0

That is the only message in the event viewer that I've been able to find.

mike.szewczyk · ‎02-26-2014

I was able to resolve the problem, but not satisfactorily. I changed the Ldap account privileges from "Account Operators" to "Domain Admins" and now the password change works.

It's nice that it works, but I don't like the idea of having a Domain Admin account embedded on an edge device.

I've read over and over that "Account Operators" is what the LDAP user should be set to. Is there another group that is also required?

Javier Portuguez · ‎02-26-2014

I have seen that before, are you using a Service Account?

Make sure the Account Operators group has the permission to change the password.

Regards,

Please rate any helpful posts.

mike.szewczyk · ‎02-26-2014

I have found the answer.

The "Account Operators" group can change user information, except it cannot change the Domain Administrators group or any of its members.

I was using my own account for testing and I am in the Domain Admins group. When I created a typical user account with which to test, the password changed worked with the LDAP account user being in the "Account Operators" group only.

Javier Portuguez · ‎02-26-2014

So you were trying to change the password for an account that belongs to the Administrators group.

Glad to know you found your issue, 5 stars!

Please rate any helpful posts.