Unable to change expired password via NetExtender

10/14/2021 344 25350

DESCRIPTION:

When connecting via NetExtender and your password has expired you receive the following error.

RESOLUTION:

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

1. Check that the time on the Server matches the local PC and SonicWall.
2. Check the LDAP setting:
    
   • If using bind distinguished name please confirm that the distinguished name is used. This can be found in AD by enabling Advanced Features and then going to the properties of the user account and selecting Attribute editor (you will find the distinguished name listed)
   • Make sure the Use TLS(SSL) option is selected.
     
     
     
     
     

3. If the user account being used to bind to the LDAP server is not the builtin Administrator account, please make sure the following permissions are delegated:

   • Create the user you'll bind with. Make it a member of Domain Users or Domain Admin.
     
     NOTE: The AD/LDAP bind account used can be a domain admin or a domain user with all required permission to read and modify users.
     
     
     
   • Create the group you'll delegate permissions to. Add the user you created to this group. 
   • Delegate control to the highest available OU where users are located. i.e. at the domain top level so that the user has control over your new group within the entire directory structure. You may need to enable the Advanced Features in Active Directory Users and Computers (ADUC) to see some of the security properties.
   • In ADUC, click on the highest point in the directory.
   • Right click on it, click Delegate Control.
   • Follow the wizard... Add the newly created group to the list of users/groups to delegate control to. Click Next.
   • Delegate the following common tasks: Reset user passwords and force password change at next logon.
   • Click Next and close the wizard. 
     
     
4.  At this point if you have the Advanced Features enabled in ADUC you should be able to right click the top level of the domain and click Properties | Security tab. In the Security tab you'll see the newly created group listed. 
   Select it, and click Advanced. In the Permission entries list you'll see at least two line items for the newly created group. One should say the access is Reset password, and the next should be blank. Both should be inherited from "None". Double-clicking the one with the blank access line will bring up the list of permissions. You should see that Read pwdLastSet and Write pwdLastSet are selected. Click Cancel. 
   
   
5. Edit the Newly created group. Click the Security tab. Select the newly created group from the group list. Click Advanced. Note whether Inheritance has been enabled or not, and what permissions are in the list. Inheritance should be enabled, and you should see the two line items for the newly created group listed as well. 
   
   

How to Test:

1. Set the test user account to change password at next login in Active directory.
2. Launch NetExtender and connect to the SSLVPN.
3. When prompted for the password change, enter the Old password and then the New password twice. Click OK.
4. You will now be able to successfully change the password and not receive the server error.
   
   
   

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

1. Check that the time on the Server matches the local PC and SonicWall.
2. Check the LDAP setting:
   • If using bind distinguished name please confirm that the distinguished name is used. This can be found in AD by enabling Advanced Features and then going to the properties of the user account and selecting Attribute editor (you will find the distinguished name listed)
   • Make sure the Use TLS(SSL) option is selected.
     
     
3. If the user account being used to bind to the LDAP server is not the builtin Administrator account please make sure the following permissions are delegated:
   • Create the user you'll bind with. Make it a member of Domain Users or Domain Admin.
     NOTE: The AD/LDAP bind account used can be a domain admin or a domain user with all required permission to read and modify users.
     
     
     
   • Create the group you'll delegate permissions to. Add the user you created to this group. 
   • Delegate control to the highest available OU where users are located. i.e. at the domain top level so that the user has control over your new group within the entire directory structure. You may need to enable the Advanced Features in Active Directory Users and Computers (ADUC) to see some of the security properties.
   • In ADUC, click on the highest point in the directory.
   • Right click on it, click Delegate Control.
   • Follow the wizard... Add the newly created group to the list of users/groups to delegate control to. Click Next.
   • Delegate the following common tasks: Reset user passwords and force password change at next logon.
   • Click Next and close the wizard. 
     
     
4. At this point if you have the Advanced Features enabled in ADUC you should be able to right click the top level of the domain and click Properties | Security tab. In the Security tab you'll see the newly created group listed. 
   Select it, and click Advanced. In the Permission entries list you'll see at least two line items for the newly created group. One should say the access is Reset password, and the next should be blank. Both should be inherited from "None". Double-clicking the one with the blank access line will bring up the list of permissions. You should see that Read pwdLastSet and Write pwdLastSet are selected. Click Cancel. 
   
   
5. Edit the Newly created group. Click the Security tab. Select the newly created group from the group list. Click Advanced. Note whether Inheritance has been enabled or not, and what permissions are in the list. Inheritance should be enabled, and you should see the two line items for the newly created group listed as well. 
   

How to Test:

1. Set the test user account to change password at next login in Active directory.
2. Launch NetExtender and connect to the SSLVPN.
3. When prompted for the password change, enter the Old password and then the New password twice. Click OK.
4. You will now be able to successfully change the password and not receive the server error.
   
   
   
   

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

1. Check that the time on the Server matches the local PC and SonicWall.
2. Check the LDAP setting:
   • If using bind distinguished name please confirm that the distinguished name is used. This can be found in AD by enabling Advanced Features and then going to the properties of the user account and selecting attribute editor (you will find the distinguished name listed).
   • Make sure the Use TLS(SSL) option is selected.
     
     
     
     
3. If the user account being used to bind to the LDAP server is not the builtin Administrator account please make sure the following permissions are delegated:
   • Create the user you'll bind with. Make it a member of Domain Users or Domain Admin.
     NOTE: The AD/LDAP bind account used can be a domain admin or a domain user with all required permission to read and modify users.
     
     
   • Create the group you'll delegate permissions to. Add the user you created to this group.
   • Delegate control to the highest available OU where users are located. i.e. at the domain top level so that the user has control over your new group within the entire directory structure. You may need to enable the Advanced Features in Active Directory Users and Computers (ADUC) to see some of the security properties.
   • In ADUC, click on the highest point in the directory.
   • Right click on it, click Delegate Control.
   • Follow the wizard... Add the newly created group to the list of users/groups to delegate control to. Click Next.
   • Delegate the following common tasks: Reset user passwords and force password change at next logon.
   • Click Next and close the wizard.
     
     
4. At this point if you have the Advanced Features enabled in ADUC you should be able to right click the top level of the domain and click Properties | Security tab. In the Security tab you'll see the newly created group listed. Select it, and click Advanced. In the Permission entries list you'll see at least two line items for the newly created group. One should say the access is Reset password, and the next should be blank. Both should be inherited from "None". Double-clicking the one with the blank access line will bring up the list of permissions. You should see that Read pwdLastSet and Write pwdLastSet are selected. Click Cancel.
5. Edit the Newly created group. Click the Security tab. Select the newly created group from the group list. Click Advanced. Note whether Inheritance has been enabled or not, and what permissions are in the list. Inheritance should be enabled, and you should see the two line items for the newly created group listed as well.
   

How to Test:

1. Set the test user account to change password at next login in Active directory.
2. Launch NetExtender and connect to the SSLVPN.
3. When prompted for the password change, enter the Old password and then the New password twice. Click OK.
4. You will now be able to successfully change the password and not receive the server error.