• To allow Domain users to change their password via the FortiAuthenticator self-service portal.
• When the Domain user's account password is expired and they want to change it via the FortiAuthenticator self-service portal.
• When a newly created Domain account has the following option enabled, 'User must change password at first logon' and user must change the password via a self-service portal.

Complete the following tasks:

• Join FortiAuthenticator to Active Directory domain.
• Create Realms and import LDAP users/groups.
• Enable and configure the self-service portal and related policies.
• Access the self-service portal with an LDAP account and perform a password change.
• Group policy settings on domain controllers and their explanation.
• Troubleshooting steps, when unable to change LDAP account password via self-service portal.

The following conditions must be met to allow password change via a self-service portal in FortiAuthenticator.

• As per FortiAuthenticator Admin guide 

GUI user portal:

For this method to work, one of the following conditions must be met:

• FortiAuthenticator has joined the Windows AD domain.
• Secure LDAP is enabled.

After successfully logging into the GUI, the user has access to the user portal. If desired, the user can change their password in the user portal.

Login to the FortiAuthenticator GUI console and start configuring the self-service portal with LDAP authentication.

• Join FortiAuthenticator to Active Directory domain:
  
  Join FortiAuthenticator to domain and configure LDAP settings. For details, refer to this article: Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired passw... .

Ensure that FortiAuthenticator has joined the domain. Go to Monitor -> Authentication -> Windows AD. On the right-hand side, check that the agent is running and the connection shows joined domain, connected.

• Create Realms and import LDAP users/groups: Configure realm to map the LDAP server, which was created in the last step. Expand Authentication -> User Management -> Realms and on the right-hand side, select Create New.

•  Enter the name and in the User source, select LDAP server and select Save.

• Now import LDAP groups in FortiAuthenticator, for self-service portal services. Expand Authentication>>>User Management -> Remote Users  -> Import.

Ensure that the LDAP server is selected and select 'Import users by group memberships' and select Import.

 Select Users from the LDAP tree and select 'OK'.

• LDAP users are now imported into FortiAuthenticator.

• Enable and configure the self-service portal and related policies. Expand System -> Network -> Interfaces, select the required interface, and select Edit.

•  Toggle 'Captive Portals (/guests, /portal)' to enable portals on the interface and select Save.

Note:

When enabling/disabling captive portals, Web server service will be restarted.

• Expand Authentication -> Portals -> Portals and select 'Create new' to create a portal.

•  Configure the required portal settings.

Create policies for the self-service portal. Expand Authentication -> Portals -> Policies, select Self-Service Portal, and select Create new.

•  Enter Name and select Portal, which was created in the last step.

Note:

• Note down the URL address in above mentioned step, this would be needed to access the self-service portal. https://[FAC IP/FQDN]/portal/selfservice/Self_Service_Policies/
• Select Realm (AD), which was created at the start of this technical document, and also select LDAP group(s)

• Select Authentication factors.

At this stage, the self-service portal is configured and ready to be accessible by end users, now in order to test it, log in with an LDAP account that was imported in FortiAuthenticator and test password change. 

Note:

 A DNS entry for the portal address could be created that would be easily accessible by name rather then IP address (Optional).

• Access the self-service portal with an LDAP account and perform a password change.

https://[FAC IP/FQDN]/portal/selfservice/Self_Service_Policies/

 Ensure that the new password matches the password policy configured on a domain controller.

• On the Domain controller, verify the password change of this user account (test1).
• Login to Domain controller, select start menu  > Run and type 'adsiedit.msc', select Action, select connect to, select OK and go to the properties of the LDP user account (test1)

Note:

• Since the users belong to a domain, there might be Group Policy Objects (GPOs) configured with 'Password Policies.' Sometimes, when end users try to change their password, they might attempt to use one of their last 10 passwords. If the domain's group policies are set to maintain a history of the last 10 passwords, the password change will fail.
• The password policy might include minimum password length and complexity requirements. Please ensure that these requirements are met when changing the password.
• The LDAP bind username configured in FortiAuthenticator LDAP settings should have sufficient permissions in the active directory, especially to the Organizational Units (OUs) where the users are located.

 As per this article from Microsoft .

• After a domain user successfully changes a password by using NTLM, the old password can still be used for network access for a user-defined period. This behavior allows accounts, such as service accounts, that are logged on to multiple computers to access the network while the password change propagates.
• To change the lifetime period of an old password, a registry setting needs to be created on the domain controller.
• Be careful when modifying a registry, as it could lead to serious problems if modified incorrectly. 

 FortiAuthenticator debug logs show the following entries.

2024-09-28T18:42:48.941682+02:00 FortiAuthenticator radiusd[28931]: (63) Received Access-Request ID 3 from 127.0.0.1:46409 to 127.0.0.1:1812 length 95
2024-09-28T18:42:48.941749+02:00 FortiAuthenticator radiusd[28931]: (63) User-Name = "test1"
2024-09-28T18:42:48.941814+02:00 FortiAuthenticator radiusd[28931]: (63) NAS-IP-Address = 127.0.0.1
2024-09-28T18:42:48.941880+02:00 FortiAuthenticator radiusd[28931]: (63) NAS-Port = 20
2024-09-28T18:42:48.941898+02:00 FortiAuthenticator radiusd[28931]: (63) NAS-Identifier = "FAC_GUI:10"
2024-09-28T18:42:48.941923+02:00 FortiAuthenticator radiusd[28931]: (63) User-Password = <<< secret >>>
2024-09-28T18:42:48.941942+02:00 FortiAuthenticator radiusd[28931]: (63) Framed-IP-Address = 10.XX.XX.XX
2024-09-28T18:42:48.941969+02:00 FortiAuthenticator radiusd[28931]: (63) Message-Authenticator = 0x51c394f68e45db21e4c561133141985c
2024-09-28T18:42:48.942632+02:00 FortiAuthenticator radiusd[28931]: (63) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2024-09-28T18:42:48.942700+02:00 FortiAuthenticator radiusd[28931]: (63) authorize {
2024-09-28T18:42:48.942834+02:00 FortiAuthenticator radiusd[28931]: (63) [preprocess] = ok
2024-09-28T18:42:48.942865+02:00 FortiAuthenticator radiusd[28931]: (63) [chap] = noop
2024-09-28T18:42:48.942903+02:00 FortiAuthenticator radiusd[28931]: (63) [mschap] = noop
2024-09-28T18:42:48.942984+02:00 FortiAuthenticator radiusd[28931]: (63) [digest] = noop
2024-09-28T18:42:48.943047+02:00 FortiAuthenticator radiusd[28931]: (63) eap: No EAP-Message, not doing EAP
2024-09-28T18:42:48.943068+02:00 FortiAuthenticator radiusd[28931]: (63) [eap] = noop
2024-09-28T18:42:48.943112+02:00 FortiAuthenticator radiusd[28931]: (63) [expiration] = noop
2024-09-28T18:42:48.943144+02:00 FortiAuthenticator radiusd[28931]: (63) [logintime] = noop
2024-09-28T18:42:48.943231+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: facauth: recv Access-Request from 127.0.0.1 port 46409, id=3, length=95
2024-09-28T18:42:48.943260+02:00 FortiAuthenticator radiusd[28931]: User-Name = "test1"
2024-09-28T18:42:48.943286+02:00 FortiAuthenticator radiusd[28931]: NAS-IP-Address = 127.0.0.1
2024-09-28T18:42:48.943304+02:00 FortiAuthenticator radiusd[28931]: NAS-Port = 20
2024-09-28T18:42:48.943319+02:00 FortiAuthenticator radiusd[28931]: NAS-Identifier = "FAC_GUI:10"
2024-09-28T18:42:48.943332+02:00 FortiAuthenticator radiusd[28931]: User-Password: ******
2024-09-28T18:42:48.943349+02:00 FortiAuthenticator radiusd[28931]: Framed-IP-Address = 10.XX.XX.XX
2024-09-28T18:42:48.943367+02:00 FortiAuthenticator radiusd[28931]: Message-Authenticator = 0x51c394f68e45db21e4c561133141985c
2024-09-28T18:42:48.943390+02:00 FortiAuthenticator radiusd[28931]: Event-Timestamp = "Sep 28 2024 18:42:48 CEST"
2024-09-28T18:42:48.943413+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: ===>NAS IP:127.0.0.1
2024-09-28T18:42:48.943442+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: ===>Username:test1
2024-09-28T18:42:48.943467+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: ===>Timestamp:1727541768.940323, age:3ms
2024-09-28T18:42:48.944661+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Setting 'Auth-Type := FACAUTH'
2024-09-28T18:42:48.944735+02:00 FortiAuthenticator radiusd[28931]: (63) [facauth] = updated
2024-09-28T18:42:48.944784+02:00 FortiAuthenticator radiusd[28931]: Not doing PAP as Auth-Type is already set.
2024-09-28T18:42:48.944800+02:00 FortiAuthenticator radiusd[28931]: (63) [pap] = noop
2024-09-28T18:42:48.944817+02:00 FortiAuthenticator radiusd[28931]: (63) } # authorize = updated
2024-09-28T18:42:48.944854+02:00 FortiAuthenticator radiusd[28931]: (63) Found Auth-Type = facauth
2024-09-28T18:42:48.944885+02:00 FortiAuthenticator radiusd[28931]: (63) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-09-28T18:42:48.944902+02:00 FortiAuthenticator radiusd[28931]: (63) Auth-Type FACAUTH {
2024-09-28T18:42:48.945020+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Client type: external (subtype: self service)
2024-09-28T18:42:48.945048+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Input raw_username: test1 Realm: (null) username: test1
2024-09-28T18:42:48.945066+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Searching default realm as well
2024-09-28T18:42:48.945087+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Realm not specified, default goes to remote LDAP, ID: 7
2024-09-28T18:42:48.945150+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Loaded remote ldap (regular bind) 10.20.1.2:389
2024-09-28T18:42:48.946747+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: LDAP user found: test1
2024-09-28T18:42:48.946788+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-09-28T18:42:48.946811+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: password and otp]
2024-09-28T18:42:48.946832+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-09-28T18:42:48.946881+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Added Stripped-User-Name with value test1
2024-09-28T18:42:48.947601+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: check_user_lockout: fail_count=0 period=-1 reason=-1
2024-09-28T18:42:48.956186+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Try to bind with DN: CN=test1,OU=Users,OU=IT,DC=root,DC=local
2024-09-28T18:42:48.966058+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: wad authenticate binding successful
2024-09-28T18:42:48.966191+02:00 FortiAuthenticator radiusd[28931]: (63) Fauth: Remote LDAP user password authenticated
2024-09-28T18:42:48.967933+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Matched NAS groups (user list groups): 1
2024-09-28T18:42:48.968858+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: NAS groups (LDAP filter groups): 0
2024-09-28T18:42:48.969116+02:00 FortiAuthenticator radiusd[28931]: update_ip_lockout for (10.191.47.254): non-admin login attempt: locking_period=60 locking_reason=2
2024-09-28T18:42:48.969257+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Authentication OK
2024-09-28T18:42:48.969393+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Setting 'Post-Auth-Type := FACAUTH'
2024-09-28T18:42:48.969577+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Name: test1, fqdn: CN=test1,OU=Users,OU=IT,DC=root,DC=local, SAM: test1
2024-09-28T18:42:48.969772+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: update_fac_authlog:164 nas_str = FAC_GUI:10~10.191.47.254.
2024-09-28T18:42:48.971196+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: Updated auth log 'test1' for attempt from FAC_GUI:10~10.191.47.254: Remote LDAP user authentication from 10.191.47.254 with no token successful
2024-09-28T18:42:48.971620+02:00 FortiAuthenticator radiusd[28931]: (63) : facauth: print reply attributes of request id 3:
2024-09-28T18:42:48.971752+02:00 FortiAuthenticator radiusd[28931]: Message-Authenticator := 0x00
2024-09-28T18:42:48.972131+02:00 FortiAuthenticator radiusd[28931]: Fortinet-FAC-Auth-Status = "srvr:rldap:7 user_id:15 realm_id:10"
2024-09-28T18:42:48.972238+02:00 FortiAuthenticator radiusd[28931]: User-Name = "id=1:test1;DN:CN=test1,OU=Users,OU=IT,DC=root,DC=local;SAM:test1"
2024-09-28T18:42:48.972320+02:00 FortiAuthenticator radiusd[28931]: (63) [facauth] = ok
2024-09-28T18:42:48.972394+02:00 FortiAuthenticator radiusd[28931]: (63) } # Auth-Type FACAUTH = ok
2024-09-28T18:42:48.972486+02:00 FortiAuthenticator radiusd[28931]: (63) Using Post-Auth-Type FACAUTH
2024-09-28T18:42:48.972646+02:00 FortiAuthenticator radiusd[28931]: (63) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-09-28T18:42:48.972746+02:00 FortiAuthenticator radiusd[28931]: (63) Post-Auth-Type FACAUTH {
2024-09-28T18:42:48.972824+02:00 FortiAuthenticator radiusd[28931]: (63) facauth: User-Name: test1 (from request)
2024-09-28T18:42:48.972911+02:00 FortiAuthenticator radiusd[28931]: (63) [facauth] = ok
2024-09-28T18:42:48.973054+02:00 FortiAuthenticator radiusd[28931]: (63) } # Post-Auth-Type FACAUTH = ok
2024-09-28T18:42:48.973252+02:00 FortiAuthenticator radiusd[28931]: (63) Sent Access-Accept Id 3 from 127.0.0.1:1812 to 127.0.0.1:46409 length 147
2024-09-28T18:42:48.973358+02:00 FortiAuthenticator radiusd[28931]: (63) Message-Authenticator := 0x00
2024-09-28T18:42:48.973440+02:00 FortiAuthenticator radiusd[28931]: (63) Fortinet-FAC-Auth-Status = "srvr:rldap:7 user_id:15 realm_id:10"
2024-09-28T18:42:48.973567+02:00 FortiAuthenticator radiusd[28931]: (63) User-Name = "id=1:test1;DN:CN=test1,OU=Users,OU=IT,DC=root,DC=local;SAM:test1"
2024-09-28T18:42:48.973779+02:00 FortiAuthenticator radiusd[28931]: (63) Finished request

 In FortiAuthenticator logs, the following entries are shown:

 In Domain controller event logs, the following eventID 4738 is recorded in Security Logs.

• Group policy settings on domain controllers. In this article, the following GPO (group policy object) are configured with the following Password policies.

• This can also be verified with a Microsoft PowerShell command.

Password policies and their impact on LDAP password change requests, as well as how they may result in password failures in specific situations, must be understood.

Enforce password history:

This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.. This setting helps prevent users from repeatedly using the same password. The default setting is 24.

Maximum password age: 

The number of days that a password can be used before needing to be changed is determined by this setting. The default setting is 42 days.

Minimum password age:

This option sets the maximum amount of time that a password can be used before it can be changed. The default value is 1 day. Administrators frequently misunderstand this policy. For example, if an admin or user changes the password for an LDAP account, the user must keep it for at least one day. If users try to change the password on the same day, the Domain Password Policy will take effect and prevent them from changing it. On the other hand, domain admins can change the password of the same user account from Active Directory Users and computer console.

Minimum password length

The number of characters a password must contain is determined by this setting. The default is 7.  

Password must meet complexity requirements

If enabled, passwords must meet these requirements: 

• Not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
• Be at least six characters in length.
• Contain characters from three of the following four categories:
• English uppercase characters (A through Z).
• English lowercase characters (a through z).
• Base 10 digits (0 through 9).
• Non-alphabetic characters (for example, !, $, #, %).
• Complexity requirements are enforced when passwords are changed or created.

This is enabled by default.

Store passwords using reversible encryption:

This configuration establishes whether the operating system uses reversible encryption when storing passwords. In essence, this is equivalent to keeping passwords in plain text. Unless there are very specific application requirements, this policy should NEVER be enabled.

• Troubleshooting steps, when unable to change LDAP account password via self-service portal: Some password policies are enabled by default in the Active Directory domain environment. As previously mentioned, the minimum password age is the most commonly misunderstood password policy that leads to confusion and is set to one day by default. So let's assume if it is enabled, how this will affect password change via a self-service portal.

• Now when a user tries to change the password via the FortiAuthenticator Self-service portal, it fails.
• Although the new password, which is not from the last 10 passwords and contains more than 7 characters with complexity, but still unable to change the LDAP account password.

•  On the domain controller event viewer, the following log entry was recorded. It shows the same administrator account that was used in the LDAP settings in FortiAuthenticator. Although the password change request was for user test1, the administrator account configured in the LDAP settings, will be used to allow the password change of test1 on the Domain controller.

 As per Microsoft Article 

• This event is generated every time an account attempts to reset the password for another account.
• For user accounts, this event is generated on domain controllers, member servers, and workstations.
• For domain accounts, a Failure event is generated if the new password fails to meet the password policy.

Note:

As it is not recommended to use the domain administrator account in the LDAP settings of FortiAuthenticator, check the LDAP settings defined in the FortiAuthenticator admin guide under the section 'Configure minimum privilege Windows AD user account'.

The subsequent or possibly more detailed auditing needs to be enabled in order to produce a detailed level of auditing on a Microsoft Domain controller.

Related articles: