Description

This article provides basic guidelines and verification steps for setting up the following functionality with Active Directory.

FortiGate is able to process an expired password renewal for LDAP users during the user's login (e.g. with SSL-VPN).

Disclaimer:

The LDAP renewal method is designed to replace (reset) the user password, meaning the Active Directory password policy will not be enforced. For example, users may reuse the same password or use old ones.

Alternatively, use RADIUS authentication with password-renewal instead of LDAP, which will follow the password policy.

For limitations on LDAP and detailed guidance, contact Microsoft support.

Scope

Standard LDAP authentication is already configured and functional (except for the password renewal feature).
The section describing configuration changes within Active Directory is for informational purposes only.

It was tested with a default domain configuration in a domain running on Windows Server 2016.
If there are issues with setting or verifying the password reset delegation, refer to the Windows/Active Directory support contact, as troubleshooting Active Directory configurations is out of the scope of Fortinet TAC.

Solution

1. Delegate the password reset rights for the LDAP account used by the FortiGate in Active Directory.
   
   

• Open Active Directory Users and Computers (aka ADUC, aka dsa.msc).
  Navigate to the Organizational Unit (OU) that contains the users, select it, and select the option 'Delegate Control...'.
  
  Note.
  The password reset rights will apply only to users in the selected OU).
  
  

• The Delegation Control Wizard will open, press 'Next'.
  On the 'Users and Groups' screen, select 'Add', and then add the LDAP account used by the FortiGate, or a group it belongs to, confirm with 'OK', and then select 'Next'.

 

• On the 'Tasks to Delegate' screen, select the option 'Reset user passwords and force password change at next logon' and then select 'Next'.

 

 

 

 

• On the final screen, select 'Finish' to apply the change.
  
  

2. Verify that the password reset delegation is functional.

   The below method is only one example of such verification.

   Other methods can be used as well, as long as they demonstrate the ability of the FortiGate's LDAP account to reset user passwords.

    

   • Obtain the full distinguished name of a test user. In this example: 'CN=John Doe,OU=usr,DC=testdomain,DC=lab'.
   • Start Powershell with the credentials of the FortiGate LDAP account (do not use the currently logged-in user, or another account, otherwise the results will not be representative).
   • Run the following commands to attempt a password change:
     
     

Proceed to verify that the password has been updated (e.g. login with the new password to some system, or start some application with the user account).

 

If the attempt fails, review the error message. An example of an error may look like this:

Exception calling 'Invoke' with '2' argument(s): 'Access is denied. (Exception from HRESULT: 0x80070005(E_ACCESSDENIED))'.

 

Important.

Do not proceed further until the verification is successful.

It is impossible to address any permission issues via any configuration on the FortiGate, therefore this step must be successful first, otherwise, the password change via FortiGate will not work.

 

If there are issues with setting the delegation rights or the confirmation, refer to the Windows/Active Directory support contact.

3. Enable the password renewal functionality for the LDAP server (CLI only):

 

config user ldap
    edit "testdomain"
        set server "10.109.51.52"
        set cnid "sAMAccountName"
        set dn "dc=testdomain,dc=lab"
        set type regular
        set username "TESTDOMAIN\\fortigate-ldap"
        set password ENC ###
        set secure ldaps #  <-- Mandatory: Active Directory requires secure LDAP over TLS for password change action.
        set port 636
        set password-renewal enable
    next
end

 

Verification.
Perform a test LDAP authentication attempt with an LDAP account that has an already expired password.

Alternatively, enable 'User must change password at next logon' for the account to manually force the change.

 

 

 

The syntax of the test command is as follows:

 

diagnose test authserver LDAP <LDAP-server-name> <username> <current-password>Replace <LDAP-server-name>   <-- with the name of the LDAP server object in FortiGate configuration in '# config user ldap'.

If the delegation was configured correctly, enter a new password twice for confirmation, and then the CLI should print a confirmation line followed by the group membership of the user that was returned by the LDAP server.

 

dia test authserver ldap testdomain jdoe OldPassword1234

New Password:********
Confirm Password:********
authenticate 'jdoe' against 'testdomain' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=testdomain,DC=lab

 

If the delegation is not configured correctly, or if the user is located in a different OU, to which the FortiGate LDAP account does not have password reset rights, the password change attempt will instead fail with the following message:

 

dia test authserver ldap testdomain jdoe OldPassword1234#

New Password:**********
Confirm Password:**********
authenticate 'jdoe' against 'testdomain' failed!

 

Reversal.
If for any reason the user needs to remove the password reset rights, follow these steps:

• 'Open Active Directory Users and Computers', select the relevant OU, and then select 'Properties'.
• In the Security tab, select the FortiGate LDAP account in the list, select the 'Remove' button, and finally confirm the change with 'OK'.