How do I support users who are required to change their password on initial login?
03/26/2020 1 6165
The setting "Allow user to change password when notified" is required for a user to log in at the point where their old password is expired and they must change their password.
There are two factors that may cause a problem for new users:
- An Active Directory (AD) policy requiring a password change on the initial login;
- The SMA setting "Allow user to change password when notified"
The AD policy requiring password change at initial login is identical to the instance where a user logs in but their password is already expired.
In a normal configuration the AD users have active passwords that eventually expire and must be changed. The provision to allow password changes thru the VPN, "Active Directory over VPN", secures the link between the SMA and the AD server, meeting the security requirements for remote password changes in AD. The option to notify users of their password expiring, allows configuration of a period, in days and in advance of the expiration of the password, to notify the user and allow them time to change their passwords. Under that configuration is an option to allow the user to change their password at the time they are notified, "Allow user to change password when notified". This option might be disabled when the AD administrator requires a specific process for changing passwords and noes not want that done at login on a VPN.
If the AD policy is set and the "Allow user to change password when notified" option is disabled, new users or users with expired passwords will be prevented from logging into the SMA VPN.
The SMA will take their password and correctly authenticate them to the AD server but the AD server will expect the password change at that time and the SMA will not allow it, preventing access.
The expected configuration where users are notified of password expiration, and are allowed to change their passwords, is to enable "Allow user to change password when notified".
This prevents login failure where the user password has already expired when they attempt to login.
This is an example of the normal and recommended configuration under: Authentication Servers > Edit Authentication Server > Advanced