-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
GVC and NetExtender Users are Unable to Change Expired LDAP/Active Directory Passwords
05/29/2020 
170 People found this article helpful
483,279 Views
Description
When an LDAP Global VPN Client (GVC) or Netextender (NX) User tries to connect with an expired password, GVC pops-up a window prompting the User to enter a new password. After entering a new password, the User is unable to authenticate with the new password or the User will be prompted to update their password again upon each login attempt.
Resolution
This issue is seen in LDAP or Active Directory configurations where the Server doesn't support MS-CHAPv2 or MS-CHAPv2 is not enabled on the SonicWall. Windows Server 2012 R2 and 2016 both support MS-CHAPv2, older versions of Microsoft Server should be updated to at least Server 2012 R2 if this functionality is required. For other Server Operating System solutions please refer to the manufacturer documentation for their support of MS-CHAPv2.
For deployments that cannot use MS-CHAPv2 over LDAP there is the option of running LDAP alongside RADIUS, with RADIUS being used for password updates only. That configuration is provided below as an optional resolution.
Enabling Users to reset their password over GVC/NX also requires that LDAP use TLS for secure communication. TLS functionality requires the use of a Trusted Certificate on the SonicWall, you can find more information about setting up TLS with LDAP in the following Knowledge Base Article: Configuring Active Directory/LDAP over TLS (Certificate).
Forcing the SonicWall to use MS-CHAPv2 for LDAP Queries
1. On the SonicWall GUI go to User | Settings | Configure RADIUS.
2. On the RADIUS Configuration pop-up window make sure you're on General Settings Tab and check the box for "Force MS-CHAPv2 mode".
Using RADIUS or LDAP + RADIUS for MS-CHAPv2
If RADIUS is configured, or LDAP is configured alongside RADIUS under User|Settings, the option "Use RADIUS in MS-CHAP / MS-CHAPv2 mode for XAUTH" can be selected under the VPN|Advanced page. In such a configuration, password updates for GVC/NX Users will be done via RADIUS in MS-CHAP or MS-CHAPv2 mode while using LDAP to authenticate the user.
For more information on configuring RADIUS with the SonicWall please reference How to Setup RADIUS Authentication on the SonicWall.
The option "Use RADIUS in MSCHAP/MSCHAPv2 mode" is located on VPN | Advanced and is only available when a RADIUS server has been configured on the Users | Settings page.
Related Articles
- How to setup Active/Standby High Availability on NSSP 13700 appliances?
- How to Create URI List Objects/Groups on SonicOSX 7?
- How to block Hotspot Shield proxy/VPN using Advanced Application Control
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO