-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How do I support users who are required to change their password on initial login?
03/26/2020 
3 People found this article helpful
478,528 Views
Description
The setting "Allow user to change password when notified" is required for a user to log in at the point where their old password is expired and they must change their password.
Cause
There are two factors that may cause a problem for new users:
- An Active Directory (AD) policy requiring a password change on the initial login;
- The SMA setting "Allow user to change password when notified"
The AD policy requiring password change at initial login is identical to the instance where a user logs in but their password is already expired.
In a normal configuration the AD users have active passwords that eventually expire and must be changed. The provision to allow password changes thru the VPN, "Active Directory over VPN", secures the link between the SMA and the AD server, meeting the security requirements for remote password changes in AD. The option to notify users of their password expiring, allows configuration of a period, in days and in advance of the expiration of the password, to notify the user and allow them time to change their passwords. Under that configuration is an option to allow the user to change their password at the time they are notified, "Allow user to change password when notified". This option might be disabled when the AD administrator requires a specific process for changing passwords and noes not want that done at login on a VPN.
If the AD policy is set and the "Allow user to change password when notified" option is disabled, new users or users with expired passwords will be prevented from logging into the SMA VPN.
The SMA will take their password and correctly authenticate them to the AD server but the AD server will expect the password change at that time and the SMA will not allow it, preventing access.
Resolution
The expected configuration where users are notified of password expiration, and are allowed to change their passwords, is to enable "Allow user to change password when notified".
This prevents login failure where the user password has already expired when they attempt to login.
This is an example of the normal and recommended configuration under: Authentication Servers > Edit Authentication Server > Advanced
Related Articles
- How to Set Timeout for Inactive Tunnel Connections
- Commands for silent installation of NetExtender via CMD line
- Users on Netextender 10.3.0 version failing to connect with the following error message " Cannot get a response from the server "
YES
NO