Changing your AD password over VPN
I have a windows 2008 domain. My users are using a checkpoint vpn client to connect to the domain when they are remote. I want to force several users to change their password at the next login. I set the acl on the user account in AD. When the users try to login to via VPN they are prompted to change their password but they are not able to do so. It fails every time.
Is there a way to allow a user to change their password over vpn? I would rather them not have to login to OWA and change their password or call the HD to have them change it for them.
Thanks
Is there a way to allow a user to change their password over vpn? I would rather them not have to login to OWA and change their password or call the HD to have them change it for them.
Thanks
ASKER
I should add. one of the options I am currently looking into is providing a web base session that will allow my users to change their password through a web portal
http://www.passwordmanager.com/en/
But I was hoping there is something I am overlooking that will allow th user to have their password changed when prompted during the vpn login process.
http://www.passwordmanager.com/en/
But I was hoping there is something I am overlooking that will allow th user to have their password changed when prompted during the vpn login process.
The way I used to have the remote users change their passwords (Fortigate firewall) was to log into the vpn, then do a ctrl-alt-del and 'change password' and it would change it in AD. We had the same problem with it failing so the programmer wrote some script that would send them an email 2 weeks prior to remind them to change it.
Don't know if this will help you or not :)
KB
Don't know if this will help you or not :)
KB
ASKER
I have seen that site but doesnt work for this scenario. here is what i have, step-by-step
back in active directory the users account has the check box enabled for him to change his password on the next login
User logs into his laptop with cached credentials. he loads the vpn client and logs in with his current credentials. A message comes back telling him that he needs to chance his password. When he tries to change his password it fails. for some reason the user is not able to change it over VPN. So technically he isnt even able to login to the VPN.... even with the old creds. THe client is reading AD because it is telling him he needs to change it (based on the acl set on his account). for whatever reason it just fails
back in active directory the users account has the check box enabled for him to change his password on the next login
User logs into his laptop with cached credentials. he loads the vpn client and logs in with his current credentials. A message comes back telling him that he needs to chance his password. When he tries to change his password it fails. for some reason the user is not able to change it over VPN. So technically he isnt even able to login to the VPN.... even with the old creds. THe client is reading AD because it is telling him he needs to change it (based on the acl set on his account). for whatever reason it just fails
how they are authenticated to VPN device? if it is integrated with AD you can't set the must change password to true, it will prevent them to connect to vpn and i think webmail also. look at some password manager applications which allows users to self-manage their passwords and unlock their accounts. Quest password manager is one i have used and manageengine also has one.
maybe this will help
http://www.petri.co.il/forums/showthread.php?t=35807
__________________
http://www.petri.co.il/forums/showthread.php?t=35807
So this morning I enacted my password policy, and a number of our VPN users have reported issues.
first guy:
I get 'permission denied' when i try to change my password
second guy:
laptop hangs when i click on change password
So my workaround has been to get them to logon to a remote session in the office and reset their password there... but this will obviously cause a sync issue between the locally cached password on their laptops, and the directory.
Is there any way to force this to update ?
I know that one consultant in particular will be back in the office tomorrow.. so we can resolve his then.
The other normally doens't work from the office though..
*edit* one of the guys in the office actually got the exact same issue.. I suspect it's to do wit hlogging on with cached passwords.
Our vpn connections are only required if ywe need to do work - they aren't established prior to logons or anything like that
..first guy:
I get 'permission denied' when i try to change my password
second guy:
laptop hangs when i click on change password
So my workaround has been to get them to logon to a remote session in the office and reset their password there... but this will obviously cause a sync issue between the locally cached password on their laptops, and the directory.
Is there any way to force this to update ?
I know that one consultant in particular will be back in the office tomorrow.. so we can resolve his then.
The other normally doens't work from the office though..
*edit* one of the guys in the office actually got the exact same issue.. I suspect it's to do wit hlogging on with cached passwords.
Our vpn connections are only required if ywe need to do work - they aren't established prior to logons or anything like that
__________________
alright.. I've worked out how to deal with the local cached credentials syncing.
Get them to connect to vpn.
logon to an internal server/ws.
change password when prompted.
Log off.
STAY CONNECTED to vpn.
Lock laptop screne.
wait 10 minutes. unlock wit new password.
This should update cached credentials on the laptop.
Get them to connect to vpn.
logon to an internal server/ws.
change password when prompted.
Log off.
STAY CONNECTED to vpn.
Lock laptop screne.
wait 10 minutes. unlock wit new password.
This should update cached credentials on the laptop.
ASKER
Honestly that doesn't sound like a sound solution. Having users log into a second machine, waiting, syncing, etc when the user should be able to do it a the console they are currently working on is where they should be able to change their password. If this is an issue with Microsoft and it isnt something that can be done I am fine with that. I just dont understand why Microsoft's software doesnt allow some of the easiest things to make a user happy.
I would even consider using certificates if it is possible. Doest anyone know of a way to integrate PKI / CA into this? Maybe all laptop users will use a CA stored on their laptop. the vpn client will need the CA and everyone uses a generic username and password to login to VPN. Having the CA that is installed verify their AD credentials.
I would even consider using certificates if it is possible. Doest anyone know of a way to integrate PKI / CA into this? Maybe all laptop users will use a CA stored on their laptop. the vpn client will need the CA and everyone uses a generic username and password to login to VPN. Having the CA that is installed verify their AD credentials.
Maybe this will help
http://www.isaserver.org/img/upl/vpnkitbeta2/vpnclienteap.htm
http://www.isaserver.org/img/upl/vpnkitbeta2/vpnclienteap.htm
There are a number of ways you can make certificate-based user authentication work with your ISA Server firewall/VPN server. The following scenario provides a very high level of security for a small or medium sized business:
An ISA Server firewall/VPN server is installed into a workgroup – the ISA Server firewall is not a member of any internal network domain
A Windows 2000/Windows Server 2003 domain controller is on the internal network. Windows Server 2003 is inherently more secure than Windows 2000
An enterprise Certificate Authority (CA) with its Web enrollment site is installed on the internal network – it is much easier to manage internal network user accounts in a domain based environment
An Internet Authentication Service Server (IAS Server) is located on a member server or domain controller on the internal network. Routing and Remote Access Policy is configured on the IAS Server to support EAP-TLS authentication
Setup the VPN Server to support RADIUS and EAP-TLS authentication
The VPN client is assigned a user certificate and the user certificate is bound to the VPN connectoid
To complete the entire procedure, please refer to and implement the procedures in the following ISA Server 2000 VPN Deployment Kit documents in order:
Installing and Configuring ISA Server 2000 on Windows Server 2003
Configuring the Windows Server 2003 ISA Server 2000/VPN Server
Installing and Configuring a Windows Server 2003 Enterprise Certification Authority
Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication
Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication
An ISA Server firewall/VPN server is installed into a workgroup – the ISA Server firewall is not a member of any internal network domain
A Windows 2000/Windows Server 2003 domain controller is on the internal network. Windows Server 2003 is inherently more secure than Windows 2000
An enterprise Certificate Authority (CA) with its Web enrollment site is installed on the internal network – it is much easier to manage internal network user accounts in a domain based environment
An Internet Authentication Service Server (IAS Server) is located on a member server or domain controller on the internal network. Routing and Remote Access Policy is configured on the IAS Server to support EAP-TLS authentication
Setup the VPN Server to support RADIUS and EAP-TLS authentication
The VPN client is assigned a user certificate and the user certificate is bound to the VPN connectoid
To complete the entire procedure, please refer to and implement the procedures in the following ISA Server 2000 VPN Deployment Kit documents in order:
Installing and Configuring ISA Server 2000 on Windows Server 2003
Configuring the Windows Server 2003 ISA Server 2000/VPN Server
Installing and Configuring a Windows Server 2003 Enterprise Certification Authority
Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication
Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients
Configuring the VPN Client and Server to Support Certificate-Based PPTP EAP-TLS Authentication
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After discussing the CA integration with active sync devices I decided to try the same method I mentioned above. It worked as I thought it would in theory. Loading the cert into the users profile provided the authentication I was trying to achieve.
http://www.kreslavsky.com/2008/08/how-to-change-domain-password-remotelly-via-vpn.html
In order to change password remotely and force replacement of cached credential user needs co connect via VPN and when he is connected to press on ctrl-alt-delete and press on change password.
After password is changed he needs to lock the computer by pressing ctrl-alt-delete and then unlock it with “new” password. That should replace cached credentials.