• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Password Management??????

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Password Management?????? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Password Management?????? - 24.Oct.2008 9:23:54 AM   
johnisccp

 

Posts: 10
Joined: 29.Sep.2008
Status: offline
We have several users account password expire because they did not change their password within 30 days. Some people are reporting they did not receive the reminder.  Is there a way for the user to change their password even though the password expire?  Is there a way for me to test the reminder to make sure it works?

Thanks in advance.
Post #: 1
RE: Password Management?????? - 24.Oct.2008 11:41:21 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
How is this an ISA question? Are we talking VPN users? Or OWA users?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to johnisccp)
Post #: 2
RE: Password Management?????? - 24.Oct.2008 11:50:07 AM   
johnisccp

 

Posts: 10
Joined: 29.Sep.2008
Status: offline
This is OWA.  ISA 2006 have a password management option to allow user to change their password for OWA so why cant this be an ISA question?

< Message edited by johnisccp -- 24.Oct.2008 11:51:18 AM >

(in reply to johnisccp)
Post #: 3
RE: Password Management?????? - 24.Oct.2008 11:52:03 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Yes indeed, but it's not ISA that notifies when the password is about to expire. That's a windows task.

All ISA does is gives you the capability to do it.

If they were vpn'd in then they would see the reminder on the login screen.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to johnisccp)
Post #: 4
RE: Password Management?????? - 24.Oct.2008 11:57:27 AM   
johnisccp

 

Posts: 10
Joined: 29.Sep.2008
Status: offline
If it is not the ISA reminding the user to change their password, why would they have the option to remind user to change their password in number of days in the password management tab?

(in reply to SteveMoffat)
Post #: 5
RE: Password Management?????? - 24.Oct.2008 12:16:58 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Are you using FBA & is yur ISA a mamber of the domain?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to johnisccp)
Post #: 6
RE: Password Management?????? - 24.Oct.2008 12:17:51 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Have you followed the metods in http://technet.microsoft.com/en-us/library/cc514301.aspx

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to SteveMoffat)
Post #: 7
RE: Password Management?????? - 24.Oct.2008 2:14:37 PM   
johnisccp

 

Posts: 10
Joined: 29.Sep.2008
Status: offline
I am using FBA with LDAP and the ISA server is not part of the domain.  If I am using FBA, do I need to enable Connect LDAP servers over secure connection?

(in reply to SteveMoffat)
Post #: 8
RE: Password Management?????? - 28.Oct.2008 7:04:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You need to enable LDAPS connections to the LDAP server in order to change passwords.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to johnisccp)
Post #: 9
RE: Password Management?????? - 5.Dec.2008 4:28:53 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello!

Is there any paper/tutorial...explaining in details how to set up the LDAPS on the DC in order to be able to change passwords? I have been looking for two days and there seems to be nothing. What are the steps one needs to take to set up the LDAPS?

Will I need to request a 3rd party SSL certificate in order to make this thing work? I have my ISA Server up and running and I have also published my OCS 2007 but I'm stuck trying to figure out how to make this a good experience for end users by allowing them to change their passwords online and also be reminded that their password is about to expire. I desperately need to get this right so if someone can point me to some good tips I will really appreciate.

Thanks in advance. I posted a message in another similar thread yesterday but didn't hear back so I'm trying here.

Sincerely,

Ramadji

(in reply to tshinder)
Post #: 10
RE: Password Management?????? - 5.Dec.2008 5:09:37 PM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi!
It's me again. I have read in different litterature that set up the ISA as a non-domain member is far from being a best practice in term of security. And Dr. Shinder said in his paper titled "Debunking the Myth that the ISA Firewall Should Not be a Domain Member" "For the last two years Iíve been trying to communicate to ISA firewall admins that a domain member machine is more secure and more flexible than a non-domain member machine and that they do themselves and their companies a disservice by not joining the ISA firewall to the domain. This is a significant issue and not something to be taken lightly because there is a serious security hit you take when you donít join the ISA firewall to the domain."
Is it true that in order to set up the LDAPS, the ISA must be a non-domain member,. True? If that's the case, how do we reduce the risks resulting from removing the ISA Server from the domain?

I need some light from the subject experts to reduce my ignorance.

Thank you all in advance.

_____________________________

Best regards,
Ramadji Doumnande
Washington, DC

(in reply to ramadji)
Post #: 11
RE: Password Management?????? - 7.Dec.2008 9:27:01 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The ISA Firewall can be a domain member and use LDAPS. No problem with that.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ramadji)
Post #: 12
RE: Password Management?????? - 9.Dec.2008 9:15:57 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Good to know. Thanks a lot for the input.
Sincerely,
Ramadji

(in reply to tshinder)
Post #: 13
RE: Password Management?????? - 9.Dec.2008 9:41:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Let us know how that works out for you.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ramadji)
Post #: 14
RE: Password Management?????? - 9.Dec.2008 9:45:43 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
I definitely will. Thank you.
Ramadji -

(in reply to tshinder)
Post #: 15
RE: Password Management?????? - 16.Dec.2008 4:54:16 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Ramadji can you please tell me where is that message that warns the user his password will expire in X days displayed?
I have under password management both checkboxes checked, so I allow to change password and want to notify them in advance about it expiring.

Actually the better question would be: if ISA is NOT joined to domain so you only use LDAPS will that warn users in advance with X days about pass expiring work or not?

< Message edited by remushociota -- 16.Dec.2008 4:58:47 PM >

(in reply to ramadji)
Post #: 16
RE: Password Management?????? - 17.Dec.2008 9:39:32 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello!
I'm still working on that part. Just submitted a CSR to Entrust yesterday and I'm expecting to get a certificate for my my DC in order to enable LDAPS. After that is done, I will be testing the same features ( password management, expiration alert ) again. I didn't work the first time without LDAPS.
My ISA is part of the domain. Pertaining to your question, I was wondering whether I would need to take my ISA server out of my domain before enabling LDAPS but after checking with this forum, Tom said that the ISA server can be part of the domain and we can still have LDAPS to fix that problem. So, in my humble opinion, you should be fine even if your ISA box is not part of your domain.
I will keep you posted if I make some progress.

_____________________________

Best regards,
Ramadji Doumnande
Washington, DC

(in reply to remushociota)
Post #: 17
RE: Password Management?????? - 19.Dec.2008 9:26:13 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Whoa!

You do NOT need a commercial certificate to enable LDAPS to the DC. Install an enterprise CA and have the DCs request a server certificate.

You do NOT need to use LDAP authentication for your publishing rules for this to work. In fact, it's easier to make work when you use integrated Windows authentication.

Check out this article for details:
http://technet.microsoft.com/en-us/library/cc514301.aspx

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ramadji)
Post #: 18
RE: Password Management?????? - 19.Dec.2008 10:44:36 AM   
ramadji

 

Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Tom,
I already got a response for my SSL certificate so too late for me to cancel and set up a CA in my environment. :(
The good news is that I'm now able to get it to work with LDAPS enabled. Yeaaaaah! After so many days beating my head against the wall, I'm making some progress now. I can change my password and log in at the ISA Server FBA using just my AD username instead of using the SAM account name ( domainname\username). At my OCS level, I'm able to use the UPN account name ( username@domainname) to log in. It would be great and life will be so easy if SSO works. Any other suggestions on how to make it possible for the ISA Server to simply pass the credentials to the OCS server inside my network and grant me access instead of having to log in twice?
Thanks to everyone for all the help.

_____________________________

Best regards,
Ramadji Doumnande
Washington, DC

(in reply to tshinder)
Post #: 19
RE: Password Management?????? - 22.Dec.2008 10:29:02 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Are the Exchange and OCS machines in the same AD domain?

You might have to use integrated authentication instead of LDAP auth to make this work. Password changes just require that that a LDAPS channel can be established between the firewall and the DC -- it does not require that you use LDAP authentication for client authentication to the firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ramadji)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Password Management?????? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts