Explorer

Question

AD password reset via SSL VPN with service account

Forum|Forum|2 years ago
December 12, 2023
2 replies
4888 views

Hi everyone,

FG VM in 7.4.1

AD 2022 STD

I Tried to configure this feature :

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-privileges-for-ldap-admin-account-authentication-in-active-directory

I followed the procedure correctly, but when i try i get an error "access denied".

With admin account it works, with service account with "domain admin" rights it works.

I tried multiples configs, contact the support, but the answer is : contact microsoft support, the docs is here just to inform that Fortinet support this feature.

Has anyone successfully configured this feature ? What are the correct rights to accord to the service account ?

Thank you !

FortiGate

FortiGate

ozkanaltas

Valued Contributor III

Hello ThomasC,

If I understand correctly.You want change user password via ssl-vpn but you don't want to give admin rights to service account.

You can see in this document note. If you want change user password via ssl-vpn, you have to configure ldap with admin user or you should give password change permission for this service user.

"The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server."

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/688719/ssl-vpn-with-ldap-user-password-renew

ThomasCAuthor

Explorer

Hello Ozkanaltas,

"If I understand correctly.You want change user password via ssl-vpn but you don't want to give admin rights to service account." : Yes, that's it

According to your quote, "The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server." : I have delegated the proper rights for reseting user's password to my service account, according to the doc in my first message (https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-privileges-for-ldap-admin-account-authentication-in-active-directory)

Regards,

Thomas

Sheikh

Staff

Hello @ThomasC ,

Have you checked the domain Group policy settings, I have seen sometimes if the GPO is configured with following settings enabled, users cannot change password in the same day.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-age

"The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it."

Also please check this technical document to allow allow LDAP user to change password at first logon or renew expired password via SSL VPN with FortiGate

regards,

Sheikh

ThomasCAuthor

Explorer

Hello @Sheikh,

"Have you checked the domain Group policy settings, I have seen sometimes if the GPO is configured with following settings enabled, users cannot change password in the same day."

Yes i also thought about this point. This is a lab, so this settings is configured at "0" and password history is at "0" too.

"Also please check this technical document to allow allow LDAP user to change password at first logon or renew expired password via SSL VPN with FortiGa... "

I have already check this tech doc, and also enabled these settings (password-expiry-warning and password-renewal).

Regards,

Thomas

Sheikh

Staff

Hello @ThomasC,

You might also need to check that the service account has correct privileges/permissions on the OU and the user account object as well. You can try to disable permissions inheritance from the OU or user account (who is unable to change password) and then re-enable it.

https://learn.microsoft.com/en-us/answers/questions/82177/user-account-security-inheritance-being-disabled-a

regards,

Sheikh

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded