Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cannot change AD user password from ASA

ASA running 8.4. I have password-management enabled on the tunnel group, LDAP over SSL enabled, yet when I test by setting an account to require password change after next login, the New Password Required page loads (clientless) and allows new password to be entered. After hitting continue, it returns to the username login page with this message above the username field

"

Cannot complete password change because the password does not meet the password  policy requirements. Check the minimum password length, password complexity, and  password history requirements.

".

Yet I'm able to change the password at the same time from a workstation, so there is no gp policy that is denying the password change. We have it set to minimum days 0 and no complexity required. I am meeting the minimum length.

a debug output when I hit continue after entering new password:

[10068] Session Start

[10068] New request Session, context 0x74637d10, reqType = Modify Password

[10068] Fiber started

[10068] Creating LDAP context with uri=ldaps://192.168.102.15:636

[10068] Connect to LDAP server: ldaps://192.168.102.15:636, status = Successful

[10068] supportedLDAPVersion: value = 3

[10068] supportedLDAPVersion: value = 2

[10068] Binding as asauser

[10068] Performing Simple authentication for asauser to 192.168.102.15

[10068] LDAP Search:

        Base DN = [DC=subdomain,DC=company,DC=com]

        Filter  = [userPrincipalName=useraccount@company.com]

        Scope   = [SUBTREE]

[10068] User DN = [CN=useraccount,CN=Users,DC=subdomain,DC=company,DC=com]

[10068] Talking to Active Directory server 192.168.102.15

[10068] Reading password policy for useraccount@company.com, dn:CN=useraccount,CN=Users,DC=subdomain,DC=company,DC=com

[10068] Read bad password count 0

[10068] Modify Password for useraccount@company.com successfully converted password to unicode

[10068] Fiber exit Tx=759 bytes Rx=2959 bytes, status=-1

[10068] Session End

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cannot change AD user password from ASA

If "asauser" is not yet a member of the "account operators" group, add it to this group.

There is an enhancement request to make this work without special privileges, see :

CSCtq54856    ENH: Support for Password Management w/o LDAP Login DN Admin Privileges

hth

Herbert

EDIT:

Just to clarify further for those hitting this thread in search for a  solution to the same problem: the "asauser" in the example above is the  user that is configured in the ASA's LDAP settings:

aaa-server ldap protocol ldap

aaa-server ldap (inside) host 10.0.0.2

server-port 636

ldap-base-dn cn=users,dc=CISCOTEST,dc=COM

ldap-login-password *****

ldap-login-dn asauser

ldap-over-ssl enable

server-type microsoft

So only this user (the one defined with "ldap-login-dn") needs to be in the account opertators group, not all vpn users.

2 REPLIES
Cisco Employee

Re: Cannot change AD user password from ASA

If "asauser" is not yet a member of the "account operators" group, add it to this group.

There is an enhancement request to make this work without special privileges, see :

CSCtq54856    ENH: Support for Password Management w/o LDAP Login DN Admin Privileges

hth

Herbert

EDIT:

Just to clarify further for those hitting this thread in search for a  solution to the same problem: the "asauser" in the example above is the  user that is configured in the ASA's LDAP settings:

aaa-server ldap protocol ldap

aaa-server ldap (inside) host 10.0.0.2

server-port 636

ldap-base-dn cn=users,dc=CISCOTEST,dc=COM

ldap-login-password *****

ldap-login-dn asauser

ldap-over-ssl enable

server-type microsoft

So only this user (the one defined with "ldap-login-dn") needs to be in the account opertators group, not all vpn users.

Community Member

Re: Cannot change AD user password from ASA

Hi Herbert,

Ours is a Corporate one forest, one domain environment. Due to large company bureaucracy, it may not be possible that we are given Domain Admin or even Account Operators on entire domain.

We have delegated authority on each responsible OU.

I know its easy to just ask and get the group membership. Easier said than done.

Unless this enhancement request is implemented by Cisco, if we are able to bind using a delegated account in our OU, is that going to work?

Thanks,

Sandeep

5758
Views
10
Helpful
2
Replies
CreatePlease to create content