Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ThomasC
New Contributor

AD password reset via SSL VPN with service account

Hi everyone,

 

FG VM in 7.4.1

AD 2022 STD

 

I Tried to configure this feature :

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri...

 

I followed the procedure correctly, but when i try i get an error "access denied".

With admin account it works, with service account with "domain admin" rights it works. 

I tried multiples configs, contact the support, but the answer is : contact microsoft support, the docs is here just to inform that Fortinet support this feature.

 

Has anyone successfully configured this feature ? What are the correct rights to accord to the service account ?

 

Thank you !

 

FortiGate 

8 REPLIES 8
ozkanaltas
Valued Contributor III

Hello ThomasC,

 

If I understand correctly.You want change user password via ssl-vpn but you don't want to give admin rights to service account.

 

You can see in this document note. If you want change user password via ssl-vpn, you have to configure ldap with admin user or you should give password change permission for this service user.

"The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server."

 

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/688719/ssl-vpn-with-ldap-use...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ThomasC

Hello Ozkanaltas,

 

"If I understand correctly.You want change user password via ssl-vpn but you don't want to give admin rights to service account." : Yes, that's it

 

According to your quote, "The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server." : I have delegated the proper rights for reseting user's password to my service account, according to the doc in my first message (https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri...)

 

Regards,

Thomas

Sheikh
Staff
Staff

Hello @ThomasC ,

 

Have you checked the domain Group policy settings, I have seen sometimes if the GPO is configured with following settings enabled, users cannot change password in the same day.

 

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimu...

 

"The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it."

 

Also please check this technical document to allow allow LDAP user to change password at first logon or renew expired password via SSL VPN with FortiGa...

 

regards,

 

Sheikh

 

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
ThomasC
New Contributor

Hello @Sheikh,

 

"Have you checked the domain Group policy settings, I have seen sometimes if the GPO is configured with following settings enabled, users cannot change password in the same day."

Yes i also thought about this point. This is a lab, so this settings is configured at "0" and password history is at "0" too. 

 

"Also please check this technical document to allow allow LDAP user to change password at first logon or renew expired password via SSL VPN with FortiGa... "

I have already check this tech doc, and also enabled these settings (password-expiry-warning and password-renewal).

 

Regards,

Thomas


 

Sheikh

Hello @ThomasC,

 

You might also need to check that the service account has correct privileges/permissions on the OU and the user account object as well. You can try to disable permissions inheritance from the OU or user account (who is unable to change password) and then re-enable it.

 

https://learn.microsoft.com/en-us/answers/questions/82177/user-account-security-inheritance-being-di...

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
ThomasC
New Contributor

@Sheikh 

 

"You might also need to check that the service account has correct privileges/permissions on the OU and the user account object as well." :

According to the privilege/permissions listed in this doc https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri... , my service account has correct rights. 

 

"You can try to disable permissions inheritance from the OU or user account (who is unable to change password) and then re-enable it." :

I just tried this now on the OU, and the issue is still there. 

 

Regards,

Thomas

Sheikh

Hello @ThomasC 

 

What do you see in the FortiGate logs and also on the Domain controller (Event viewer, when a user tries to change password ?

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
ThomasC
New Contributor

@Sheikh 

 

On the DC, in the security event viewer, just see an error mentionning "The specified account's password has expired.". After this log, no other errors. I can see a "Credential validation" log or a "Special Logon" log for the service account.

 

In the FortiGate log, the only place where there is log about this is in VPN SSL log. I just see "SSL User failed to log in".

In debug, i see that :

[1014] fnbamd_ldap_parse_response-Error 50(00000005: SecErr: DSID-031A11EF, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
)

This log line confirms the error message obtained via the portal or the VPN client, and confirms that the rights mentionned in this doc are not sufficent for reseting user's passwords : https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri...

 

Regards,

Thomas

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors