Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect VPN is not changing AD Password

I believe I have everything configured correctly.  But clearly I'm missing something.  Users can authenticate and that all works.  If I expire a password, it recognizes that it is expired.  It recognizes that part of our password policy requires 7 characters.  I enter a new password that fits the policy and I get the error message:

"Cannot complete password change because the password does not meet the password policy requirements"

Here is a debug of the session when I attempt to change the password.

[62865] Session Start

[62865] New request Session, context 0xabb4ddd8, reqType = Modify Password

[62865] Fiber started

[62865] Creating LDAP context with uri=ldaps://192.168.8.1:636

[62865] Connect to LDAP server: ldaps://192.168.8.1:636, status = Successful

[62865] supportedLDAPVersion: value = 3

[62865] supportedLDAPVersion: value = 2

[62865] Binding as LDAP User

[62865] Performing Simple authentication for LDAP User to 192.168.8.1

[62865] LDAP Search:

        Base DN = [ou=People, dc=<redacted>, dc=com]

        Filter  = [sAMAccountName=<redacted>]

        Scope   = [SUBTREE]

[62865] User DN = [CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com]

[62865] Talking to Active Directory server 192.168.8.1

[62865] Reading password policy for <redacted>, dn:CN=<redacted>,OU=Woodstock,OU=People,DC=<redacted>,DC=com

[62865] Read bad password count 0

[62865] Fiber exit Tx=737 bytes Rx=6827 bytes, status=-1

[62865] Session End

I redacted the user account and domain information.

8 REPLIES

Anyconnect VPN is not changing AD Password

Hi Mike,

Please make sure that the ldap-login (AD user) used to bind the connection to the DB belongs to the

Account Operators group in AD or that that such user has the enough rights to change the password.

HTH.

New Member

Anyconnect VPN is not changing AD Password

Yes, that is one of the first things I did.

A couple of common remedies that I've found with AD Password change problems are either not having Secure LDAP set up correctly, or the LDAP user not being in the correct group.

The LDAP user is in the Account Operators Active Directory security group.

Anyconnect VPN is not changing AD Password

Do you see any log on AD?

New Member

Anyconnect VPN is not changing AD Password

In Event Viewer on the domain controller, under security, I only see that the logon has failed.

Failure Information:

    Failure Reason:        The specified account's password has expired.

    Status:            0xc0000224

    Sub Status:        0x0

That is the only message in the event viewer that I've been able to find.

New Member

Anyconnect VPN is not changing AD Password

I was able to resolve the problem, but not satisfactorily.  I changed the Ldap account privileges from "Account Operators" to "Domain Admins" and now the password change works.

It's nice that it works, but I don't like the idea of having a Domain Admin account embedded on an edge device.

I've read over and over that "Account Operators" is what the LDAP user should be set to.  Is there another group that is also required?

Anyconnect VPN is not changing AD Password

I have seen that before, are you using a Service Account?

Make sure the Account Operators group has the permission to change the password.

Regards,

Please rate any helpful posts.

New Member

Anyconnect VPN is not changing AD Password

I have found the answer.

The "Account Operators" group can change user information, except it cannot change the Domain Administrators group or any of its members.

I was using my own account for testing and I am in the Domain Admins group.  When I created a typical user account with which to test, the password changed worked with the LDAP account user being in the "Account Operators" group only.

Anyconnect VPN is not changing AD Password

So you were trying to change the password for an account that belongs to the Administrators group.

Glad to know you found your issue, 5 stars!

Please rate any helpful posts.

383
Views
0
Helpful
8
Replies