Has anyone successfully configured a Sonicwall VPN appliance to be able to reset expired AD account passwords? We currently are having an issue when remote people login to the Global VPN Client and their password is expired in AD, it will prompt them to enter a new password and then will reconnect. The issue is when they attempt to sign in with the new password it says the password is wrong and if they enter the old password it goes through the expired password prompts again. So basically it is like the Sonicwall is not writing the new password to AD for the user. I have it configured to use LDAP for authentication and am using TLS and the Domain Admin account to Bind to LDAP. Is RADIUS required in order to make this happen? We don’t have it setup and would like to get it working with just LDAP if possible.
Thanks!
Set this up on an FG a while ago, needed RADIUS.
Edit:
https://www.sonicwall.com/support/knowledge-base/unable-to-change-expired-password-via-netextender/170505269955697/
Create the user you’ll bind with. Make it a member of Domain Users, Domain Admin.
Delegate access to a svc account instead.
I think you need to use LDAPS instead of LDAP in order to get password changes to work.
your not gonna make it work we have to make people who require password changes log into the OWA to do resets just like Microsoft wont let you change your password if your using an RDP gateway. Stupid I know but that expired password prompt is for local accounts domain accounts it does exactly what you describe.
We see that same issue, using Netexteder and an SMA.
But, if you do the password change, close the vpn client and wait about 2 minutes, you can log in with the new password.
have not resolved why yet.
Either open up OWA to allow password management or purchase a third party AD Self Service product, there a few out there.
Sorry, I am using LDAPS not just plain LDAP. I went through the Cert install and have TLS checked.
The other settings we are using are:
- RADIUS in
- MSCHAPv2
- User auth method: LDAP + Local Users
Are you able to verify that the LDAP test for authentication works?
Yep LDAPS Test Authentication works fine, that is how I am authenticating Users to the VPN. So you have RADIUS configured? That is what I did not do. Only LDAPS is configured. Was hoping that is enough to be able to allow for Password changes since I am using LDAPS with the Domain Admin as the binding account, but it appears you need to setup RADIUS as well.