Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Sonicwall SSLVPN, Active Directory, password changes & LDAP / TLS ?
Sonicwall SSLVPN, Active Directory, password changes & LDAP / TLS ? [message #155527] Mon, 01 June 2009 13:42 Go to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
Hi all -

I have a client with a W2003 AD domain and we've recently implemented a
password policy. However, it's causing grief for remote users who access
Terminal Services via a Sonicwall SSL-VPN appliance.

I'm trying to allow password changes (forced "..on next login" as well as
regular expiration) to work through the SonicWALL SSLVPN, and it ain't
working through the native Active Directory integrated
connection/passthrough.

On the advice of a tech, I configured the Sonicwall with another "domain"
(connection) type (LDAP) which has a checkbox to allow for password
changes. A test user can connect and log into AD just fine through
there...unless I tick the box for "user must change password" in ADUC. At
that point the Sonicwall login returns a generic 'bad login name or
password" message.

The Sonicwall tech I've been working with suggested we might need LDAPS
(LDAP+TLS), with which I have zero experience. I've seen 321051, but we
don't have a public SSL cert and none of the servers (DCs or TS box) are
directly exposed/published to the Internet anyway. If we have to buy a cert
I don't mind, but I don't know what the ___ I'd do with it if I had one.

I'm having a hard time getting my brain wrapped around this and would
greatly appreciate some advice!

Environment:
W2003 AD, SP1 and SP2
Re: Sonicwall SSLVPN, Active Directory, password changes & LDAP / TLS ? [message #155528 is a reply to message #155527] Mon, 01 June 2009 15:10 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
I would not expect SSL to help with this. In normal LDAP programming, if
the user has "change password at next logon" set, an LDAP bind
authentication for that user will fail with the error you are getting. The
only supported mechanism that I know of that allows change password at next
logon to work as an interactive logon which is not the same as what happens
in LDAP at all.

I'm not sure if you'll come up with a good solution for this or not, but I
would tend to expect the vendor to have a better understanding of how their
product works and should behave here.

SSL DOES make password changes using ADSI possible, but it does not allow
the initial bind operation to actually work. I'm guessing that the former
point may have something to do with the confusion related to this.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:OBN$fCu4JHA.1712@TK2MSFTNGP03.phx.gbl...
> Hi all -
>
> I have a client with a W2003 AD domain and we've recently implemented a
> password policy. However, it's causing grief for remote users who access
> Terminal Services via a Sonicwall SSL-VPN appliance.
>
> I'm trying to allow password changes (forced "..on next login" as well as
> regular expiration) to work through the SonicWALL SSLVPN, and it ain't
> working through the native Active Directory integrated
> connection/passthrough.
>
> On the advice of a tech, I configured the Sonicwall with another "domain"
> (connection) type (LDAP) which has a checkbox to allow for password
> changes. A test user can connect and log into AD just fine through
> there...unless I tick the box for "user must change password" in ADUC. At
> that point the Sonicwall login returns a generic 'bad login name or
> password" message.
>
> The Sonicwall tech I've been working with suggested we might need LDAPS
> (LDAP+TLS), with which I have zero experience. I've seen 321051, but we
> don't have a public SSL cert and none of the servers (DCs or TS box) are
> directly exposed/published to the Internet anyway. If we have to buy a
> cert I don't mind, but I don't know what the ___ I'd do with it if I had
> one.
>
> I'm having a hard time getting my brain wrapped around this and would
> greatly appreciate some advice!
>
> Environment:
> W2003 AD, SP1 and SP2
>
>
>
Re: Sonicwall SSLVPN, Active Directory, password changes & LDAP / TLS ? [message #155545 is a reply to message #155527] Mon, 01 June 2009 21:02 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:OBN$fCu4JHA.1712@TK2MSFTNGP03.phx.gbl...
> Hi all -
>
> I have a client with a W2003 AD domain and we've recently implemented a
> password policy. However, it's causing grief for remote users who access
> Terminal Services via a Sonicwall SSL-VPN appliance.
>
> I'm trying to allow password changes (forced "..on next login" as well as
> regular expiration) to work through the SonicWALL SSLVPN, and it ain't
> working through the native Active Directory integrated
> connection/passthrough.
>
> On the advice of a tech, I configured the Sonicwall with another "domain"
> (connection) type (LDAP) which has a checkbox to allow for password
> changes. A test user can connect and log into AD just fine through
> there...unless I tick the box for "user must change password" in ADUC. At
> that point the Sonicwall login returns a generic 'bad login name or
> password" message.
>
> The Sonicwall tech I've been working with suggested we might need LDAPS
> (LDAP+TLS), with which I have zero experience. I've seen 321051, but we
> don't have a public SSL cert and none of the servers (DCs or TS box) are
> directly exposed/published to the Internet anyway. If we have to buy a cert
> I don't mind, but I don't know what the ___ I'd do with it if I had one.
>
> I'm having a hard time getting my brain wrapped around this and would
> greatly appreciate some advice!
>
> Environment:
> W2003 AD, SP1 and SP2
>
>
>

Interesting catch-22 here. And based on what Joe offered, and the facts that the Sonic Wall techs can't figure it out, then I'm thinking or willing to bet that an account setting for a user to 'change password at next login,' may not be supported and the techs don't know that. <grin>

I've used a SonicWall appliance once with SSLVPN, but we made sure a new user logs on in the office first, gets their desktop, etc, before throwing 'em out in the field. But for expiration, from what I remember, when they logon and the policy reaches the expiration countdown, the next time they logon they get prompted to change it, but they change it within Windows, not the appliance connection. So in essence, it is just a pass-through that didn't support, nor if I know it supports, the ability to let the user know or to allow the initial connection to allow the user to change it.

However, trying to look this thing up using "the Google" (I like that term!), I found a new feature in SonicWall (or was it an old feature? I don't know), that supports a one time password thing that emails the user a password, and they use that as a one time connection to the appliance allowing them connectivity into the network. Not sure if this will work for you or not. You can take a peek at it, FWIW:
http://www.sonicwall.com/downloads/Configuring_SonicWALL_SSL _VPN_One_Time_Passwords.pdf

I also found and looked through the following to see if it supports or at leasts speaks of this ability (to allow users to change at first shot), but it's too general. I'm sure you probably have a hard copy of this.
http://www.sonicsys.com/downloads/SonicWALL_SSL_VPN_Administ rators_Guide.pdf

Other than that, sorry kiddo, wish I could be more helpful.
Good luck!

Ace
Previous Topic:how to distribute/trust a certificate throughout the whole domain
Next Topic:large files in SYSVOL - multiple physical Sites
Goto Forum:
  


Current Time: Sun Sep 24 15:32:30 EDT 2017

Total time taken to generate the page: 0.02836 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software