Hi everyone,
FG VM in 7.4.1
AD 2022 STD
I Tried to configure this feature :
I followed the procedure correctly, but when i try i get an error "access denied".
With admin account it works, with service account with "domain admin" rights it works.
I tried multiples configs, contact the support, but the answer is : contact microsoft support, the docs is here just to inform that Fortinet support this feature.
Has anyone successfully configured this feature ? What are the correct rights to accord to the service account ?
Thank you !
Hello ThomasC,
If I understand correctly.You want change user password via ssl-vpn but you don't want to give admin rights to service account.
You can see in this document note. If you want change user password via ssl-vpn, you have to configure ldap with admin user or you should give password change permission for this service user.
"The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server."
Hello Ozkanaltas,
"If I understand correctly.You want change user password via ssl-vpn but you don't want to give admin rights to service account." : Yes, that's it
According to your quote, "The LDAP user must either be an administrator, or have the proper permissions delegated to it, to be able to change passwords of other registered users on the LDAP server." : I have delegated the proper rights for reseting user's password to my service account, according to the doc in my first message (https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri...)
Regards,
Thomas
Hello @ThomasC ,
Have you checked the domain Group policy settings, I have seen sometimes if the GPO is configured with following settings enabled, users cannot change password in the same day.
"The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it."
Also please check this technical document to allow allow LDAP user to change password at first logon or renew expired password via SSL VPN with FortiGa...
regards,
Sheikh
Hello @Sheikh,
"Have you checked the domain Group policy settings, I have seen sometimes if the GPO is configured with following settings enabled, users cannot change password in the same day."
Yes i also thought about this point. This is a lab, so this settings is configured at "0" and password history is at "0" too.
"Also please check this technical document to allow allow LDAP user to change password at first logon or renew expired password via SSL VPN with FortiGa... "
I have already check this tech doc, and also enabled these settings (password-expiry-warning and password-renewal).
Regards,
Thomas
Hello @ThomasC,
You might also need to check that the service account has correct privileges/permissions on the OU and the user account object as well. You can try to disable permissions inheritance from the OU or user account (who is unable to change password) and then re-enable it.
regards,
Sheikh
"You might also need to check that the service account has correct privileges/permissions on the OU and the user account object as well." :
According to the privilege/permissions listed in this doc https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri... , my service account has correct rights.
"You can try to disable permissions inheritance from the OU or user account (who is unable to change password) and then re-enable it." :
I just tried this now on the OU, and the issue is still there.
Regards,
Thomas
Hello @ThomasC
What do you see in the FortiGate logs and also on the Domain controller (Event viewer, when a user tries to change password ?
regards,
Sheikh
On the DC, in the security event viewer, just see an error mentionning "The specified account's password has expired.". After this log, no other errors. I can see a "Credential validation" log or a "Special Logon" log for the service account.
In the FortiGate log, the only place where there is log about this is in VPN SSL log. I just see "SSL User failed to log in".
In debug, i see that :
[1014] fnbamd_ldap_parse_response-Error 50(00000005: SecErr: DSID-031A11EF, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
)
This log line confirms the error message obtained via the portal or the VPN client, and confirms that the rights mentionned in this doc are not sufficent for reseting user's passwords : https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/631824/configuring-least-pri...
Regards,
Thomas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.