We have several users account password expire because they did not change their password within 30 days. Some people are reporting they did not receive the reminder. Is there a way for the user to change their password even though the password expire? Is there a way for me to test the reminder to make sure it works?
If it is not the ISA reminding the user to change their password, why would they have the option to remind user to change their password in number of days in the password management tab?
I am using FBA with LDAP and the ISA server is not part of the domain. If I am using FBA, do I need to enable Connect LDAP servers over secure connection?
Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello!
Is there any paper/tutorial...explaining in details how to set up the LDAPS on the DC in order to be able to change passwords? I have been looking for two days and there seems to be nothing. What are the steps one needs to take to set up the LDAPS?
Will I need to request a 3rd party SSL certificate in order to make this thing work? I have my ISA Server up and running and I have also published my OCS 2007 but I'm stuck trying to figure out how to make this a good experience for end users by allowing them to change their passwords online and also be reminded that their password is about to expire. I desperately need to get this right so if someone can point me to some good tips I will really appreciate.
Thanks in advance. I posted a message in another similar thread yesterday but didn't hear back so I'm trying here.
Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi! It's me again. I have read in different litterature that set up the ISA as a non-domain member is far from being a best practice in term of security. And Dr. Shinder said in his paper titled "Debunking the Myth that the ISA Firewall Should Not be a Domain Member" "For the last two years I’ve been trying to communicate to ISA firewall admins that a domain member machine is more secure and more flexible than a non-domain member machine and that they do themselves and their companies a disservice by not joining the ISA firewall to the domain. This is a significant issue and not something to be taken lightly because there is a serious security hit you take when you don’t join the ISA firewall to the domain." Is it true that in order to set up the LDAPS, the ISA must be a non-domain member,. True? If that's the case, how do we reduce the risks resulting from removing the ISA Server from the domain?
I need some light from the subject experts to reduce my ignorance.
Ramadji can you please tell me where is that message that warns the user his password will expire in X days displayed? I have under password management both checkboxes checked, so I allow to change password and want to notify them in advance about it expiring.
Actually the better question would be: if ISA is NOT joined to domain so you only use LDAPS will that warn users in advance with X days about pass expiring work or not?
< Message edited by remushociota -- 16.Dec.2008 4:58:47 PM >
Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hello! I'm still working on that part. Just submitted a CSR to Entrust yesterday and I'm expecting to get a certificate for my my DC in order to enable LDAPS. After that is done, I will be testing the same features ( password management, expiration alert ) again. I didn't work the first time without LDAPS. My ISA is part of the domain. Pertaining to your question, I was wondering whether I would need to take my ISA server out of my domain before enabling LDAPS but after checking with this forum, Tom said that the ISA server can be part of the domain and we can still have LDAPS to fix that problem. So, in my humble opinion, you should be fine even if your ISA box is not part of your domain. I will keep you posted if I make some progress.
You do NOT need a commercial certificate to enable LDAPS to the DC. Install an enterprise CA and have the DCs request a server certificate.
You do NOT need to use LDAP authentication for your publishing rules for this to work. In fact, it's easier to make work when you use integrated Windows authentication.
Posts: 62
Joined: 17.Sep.2008
From: Washington, DC, USA
Status: offline
Hi Tom, I already got a response for my SSL certificate so too late for me to cancel and set up a CA in my environment. :( The good news is that I'm now able to get it to work with LDAPS enabled. Yeaaaaah! After so many days beating my head against the wall, I'm making some progress now. I can change my password and log in at the ISA Server FBA using just my AD username instead of using the SAM account name ( domainname\username). At my OCS level, I'm able to use the UPN account name ( username@domainname) to log in. It would be great and life will be so easy if SSO works. Any other suggestions on how to make it possible for the ISA Server to simply pass the credentials to the OCS server inside my network and grant me access instead of having to log in twice? Thanks to everyone for all the help.
Are the Exchange and OCS machines in the same AD domain?
You might have to use integrated authentication instead of LDAP auth to make this work. Password changes just require that that a LDAPS channel can be established between the firewall and the DC -- it does not require that you use LDAP authentication for client authentication to the firewall.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 General] >> General >> Password Management?????? 
Password Management?????? - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread