Active Directory users aren’t able to update their password via SonicWall NetExtender

This seems to be a problem for a lot of people on the ‘net so I figured I’d document it here.

First, we need to make sure LDAP authentication is setup properly; take a look at the following screenshots (this assumes that you’ve already created a separate account for binding to the AD/LDAP database… in my examples below, this account is referred to as the “ldap bind” account.)

Security Settings

Security Settings (from https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5097)

Make to select 'LDAP' and not 'LDAP + Local Users' .

Make to select ‘LDAP’ and not ‘LDAP + Local Users’ .

Use the "display name" of the user account that you'd like to use for binding to the Active Directory server. Make sure that this account does NOT have Administrative privileges.

Use the “display name” of the user account that you’d like to use for binding to the Active Directory server. Make sure that this account does NOT have Administrative privileges.

Click "Import user groups" and select the group that contains the users who will should be granted SSLVPN access. Then set that group as the "Default LDAP User Group". I usually create a separate group for this purpose.

Click “Import user groups” and select the group that contains the users who will should be granted SSLVPN access. Then set that group as the “Default LDAP User Group”. I usually create a separate group for this purpose.

This is where you'll configure the locations of the OUs that contain Groups and Users who will have SSLVPN access.

This is where you’ll configure the locations of the OUs that contain Groups and Users who will have SSLVPN access.

Once you’ve done all of that, you’ll need to delegate the ability to change user passwords to your “ldap bind” account. This “sandboxes” the account; i.e., it allows the account to be able to change passwords without requiring administrative privileges. This way, the account only has the exact level of privilege it needs to do its job. Active Directory will allow you to use the Delegate Control wizard to delegate the Reset user passwords and force change at next logon task, but depending on which version of Windows Server you are running, this might not work as expected. In order to provide an LDAP Bind user with the ability to authenticate users and change passwords via NetExtender and Virtual Office, you can instead delegate access in the following manner:

  1. In Active Directory Users and Computers, right click on the desired OU and select Delegate Control
  2. Click Next.
  3. Click Add.
  4. Select a user or group, then click OK.
  5. Click Next.
  6. Select Create a custom task to delegate, and then click Next.
  7. Click Only the following objects in the folder, click to select the User objects check box, and then click Next.
  8. Click to select the General and the Property-specific check boxes.
  9. Click to select the Reset Password, Read pwdLastSet, and Write pwdLastSet check boxes in the Permissions box.
  10. Click Next, and then click Finish.

If for some reason it’s still not working, ensure that User objects are configured to Include inheritable permissions from this object’s parent, from the Advanced Security Settings page on each user object that needs to be able to update their password via NetExtender and/or Virtual Office. Note: You must have Advanced Features enabled in the view from within ADUC in order to see this page. To enable it, navigate to View and select Advanced Features. Now you’ll be able to see the Security tab of any Organizational Unit or Object.

Advanced Security Settings for [user object]

If you delegated the ability to change/reset passwords to your ldap bind account on the parent container of the target user objects, then each child user object must have this option selected. Alternatively, you could add the ldap bind account to the security settings on each user, manually.

References:

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5097