Description
FortiGate is able to process an expired password renewal for LDAP users during the user's login (e.g. with SSL-VPN).
This article provides basic guidelines and verification steps for setting up this functionality with Active Directory.
Scope
Standard LDAP authentication is already configured and functional (except the password renewal feature).
The section describing configuration changes within Active Directory is for informational purposes only.
It was tested with a default domain configuration in a domain running on Windows Server 2016.
If there are issues with setting or verifying the password reset delegation, refer to the Windows/Active Directory support contact, as troubleshooting Active Directory configurations is out of scope of Fortinet TAC.
Solution
1) Delegate password reset rights for the LDAP account used by the FortiGate in Active Directory.
- Open Active Directory Users and Computers (aka ADUC, aka dsa.msc).
Navigate to the Organizational Unit (OU) that contains your users, select it and select the option 'Delegate Control...'.
Note.
The password reset rights will be applicable only onto users in the selected OU).
- The Delegation Control Wizard will open, press 'Next'.
On the 'Users and Groups' screen, select 'Add', and then add the LDAP account used by the FortiGate, or a group it belongs to, confirm with 'OK' and then select 'Next'.
On the 'Users and Groups' screen, select 'Add', and then add the LDAP account used by the FortiGate, or a group it belongs to, confirm with 'OK' and then select 'Next'.
- On the 'Tasks to Delegate' screen, select the option 'Reset user passwords and force password change at next logon' and then select 'Next'.
- On the final screen, select 'Finish' to apply the change
2) Verify that the password reset delegation is functional.
The below method is only one example of such verification.
2) Verify that the password reset delegation is functional.
The below method is only one example of such verification.
Other methods can be used as well, as long as they clearly demonstrate the ability of the FortiGate's LDAP account to reset user passwords.
- Obtain the full distinguished name of a test user. In this example: 'CN=John Doe,OU=usr,DC=testdomain,DC=lab'.
- Start powershell with the credentials of the FortiGate LDAP account (do not use the currently logged in user, or another account, otherwise the results will not be representative).
- Run the following commands to attempt password change:
If the attempt is successful, there should be an empty response to the commands.
- Obtain the full distinguished name of a test user. In this example: 'CN=John Doe,OU=usr,DC=testdomain,DC=lab'.
- Start powershell with the credentials of the FortiGate LDAP account (do not use the currently logged in user, or another account, otherwise the results will not be representative).
- Run the following commands to attempt password change:
$test = [adsi]"LDAP://CN=John Doe,OU=usr,DC=testdomain,DC=lab"
$test.psbase.invoke("SetPassword","NewPassword1234#")
$test.psbase.CommitChanges()
If the attempt is successful, there should be an empty response to the commands.
Proceed to verify that the password has been updated (e.g. login with the new password to some system, or start some application with the user account).
If the attempt fails, review the error message. Example of an error may look like:
Exception calling 'Invoke' with '2' argument(s): 'Access is denied. (Exception from HRESULT: 0x80070005(E_ACCESSDENIED))'.
IMPORTANT.
Exception calling 'Invoke' with '2' argument(s): 'Access is denied. (Exception from HRESULT: 0x80070005(E_ACCESSDENIED))'.
IMPORTANT.
Do not proceed further until the verification is successful.
It is impossible to address any permission issues via any configuration on the FortiGate, therefore this step must be successful first, otherwise the password change via FortiGate will not work.
If there are issues with setting the delegation rights or the confirmation, refer to the Windows/Active Directory support contact.
3) Enable the password renewal functionality for your LDAP server (CLI only):
Perform a test LDAP authentication attempt with an LDAP account that has an already expired password.
3) Enable the password renewal functionality for your LDAP server (CLI only):
# config user ldapVerification.
edit "testdomain"
set server "10.109.51.52"
set cnid "sAMAccountName"
set dn "dc=testdomain,dc=lab"
set type regular
set username "TESTDOMAIN\\fortigate-ldap"
set password ENC ###
set secure ldaps #<=== Mandatory: Active Directory requires secure LDAP over TLS for password change action.
set port 636
set password-renewal enable
next
end
Perform a test LDAP authentication attempt with an LDAP account that has an already expired password.
Alternatively, enable 'User must change password at next logon' for the account to manually force the change.
The syntax of the test command is as follows:
If the delegation was configured correctly, enter a new password twice for confirmation, and then the CLI should print a confirmation line followed by group membership of the user that was returned by the LDAP server.
If for any reason the user needs to remove the password reset rights, follow these steps:
- 'Open Active Directory Users and Computers', select the relevant OU and then select 'Properties'.
- In the Security tab, select the FortiGate LDAP account in the list, select the 'Remove' button and finally confirm the change with 'OK'.
# diagnose test authserver LDAP <LDAP-server-name> <username> <current-password>Replace <LDAP-server-name> with the name of the LDAP server object in FortiGate configuration in '# config user ldap'.
If the delegation was configured correctly, enter a new password twice for confirmation, and then the CLI should print a confirmation line followed by group membership of the user that was returned by the LDAP server.
# dia test authserver ldap testdomain jdoe OldPassword1234#If the delegation is not configured correctly, or if the user is located in a different OU, to which the FortiGate LDAP account does not have password reset rights for, the password change attempt will instead fail with the following message:
New Password:********
Confirm Password:********
authenticate 'jdoe' against 'testdomain' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=testdomain,DC=lab
# dia test authserver ldap testdomain jdoe OldPassword1234#Reversal.
New Password:**********
Confirm Password:**********
authenticate 'jdoe' against 'testdomain' failed!
If for any reason the user needs to remove the password reset rights, follow these steps:
- 'Open Active Directory Users and Computers', select the relevant OU and then select 'Properties'.
- In the Security tab, select the FortiGate LDAP account in the list, select the 'Remove' button and finally confirm the change with 'OK'.
