Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
472 Views 6 Replies Latest reply: Sep 17, 2013 8:34 AM by uzanatta RSS
uzanatta Apprentice 88 posts since
Oct 17, 2012
Currently Being Moderated

Sep 12, 2013 4:09 AM

Password expired on AD/LDAP accounts

Hi,

 

did you experience an issue with password expired with external login accounts?

 

It seems that is following the Standard account policy and not the AD/LDAP server policies.

 

Once you logon, the form for changing password appears, obviously you can't change password but you can't logon anymore.

 

Any feedback is appreciated.

 

Thank you.

  • acommons Newcomer 35 posts since
    Jul 16, 2013
    Currently Being Moderated
    1. Sep 16, 2013 5:17 PM (in response to uzanatta)
    Re: Password expired on AD/LDAP accounts

    We had a similar experience where the local password complexity policy was applied to AD/LDAP accounts. This caused the ESM to try and force a password change at login because the entered password did not meet the requirements (we made the local policy very stringent). We had to change the password policy to match the AD/LDAP policy to get it sane again.

     

    cheers,

    Andrew

  • acommons Newcomer 35 posts since
    Jul 16, 2013
    Currently Being Moderated
    3. Sep 17, 2013 3:30 AM (in response to uzanatta)
    Re: Password expired on AD/LDAP accounts

    We used the supplied default ESM account  - we renamed it and I can't remember what the original names was, it's a super user - to set the policy on the ESM to be the same as the AD/LDAP policy. We didn't try and change passwords and complete the login when prompted by ESM we just aborted the login and fixed what we thought was the problem. We were lucky we got it right.

     

    In your case I suspect you need to make the password lifetime greater than the AD/LDAP lifetime or turn off password lifetime completely for the ESM policy.

     

    We are seeing a few odd things around account management with AD/LDAP accounts in the ESM, when I get some time I'll document them and share with the community.

     

    Cheers,

    Andrew

  • acommons Newcomer 35 posts since
    Jul 16, 2013
    Currently Being Moderated
    5. Sep 17, 2013 5:27 AM (in response to uzanatta)
    Re: Password expired on AD/LDAP accounts

    Hi Umberto,

     

    Make sure you share your results with us.

     

    In your scenario I suspect you will need to have perfect two way synchronisation between the SIEM and AD/LDAP because the system on which the password change is forced cannot be controlled.

     

    I will check out the hotfix if it is generally available and see what else it might fix, thanks for the heads up.

     

    cheers,

    Andrew

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points