How does your company handle this issue?

[Fred Yarbrough]

BACKGROUND
We are migrating to a Windows 2003 AD domain with password changes required
every 90 days. In the past we did not require password changes and our
"road warriors" laptop's belonged to our domain. It used cached credentials
when they were not connected to our network. Things worked fine for the
most part.

PROBLEM
Now that we are requiring password changes, our remote users (Windows 2000
Pro and XP Pro) log into their laptop using the cached domain credentials
and then connect to our company via VPN and Dialup. On the connection
attempt, they are forced to change their password for their AD domain
account. They can successfully change their AD domain password but this
DOES NOT change their cached password that the system has. When they
disconnect from our network, and try to login to their laptops using the
cached domain password and they must enter their old password. Our
workaround has been for the user to connect to us and then do a CTRL ATL
DELETE and perform a change password from here. This resets both the cached
password and the domain password and works. We want to implement a policy
that passwords cannot be change for 2 days after they are set to keep people
from rolling their passwords to the old one. This solution is not
acceptable for us.

We are considering making all of our laptops non-domain members. Users will
simply login to the local machine. They will still have to login to the
domain when they attempt to connect but they can choose whether to keep
their local and domain accounts synchronized or not.

Thanks,
Fred

 

[Chriss3]

Hello Fred,
Dose the users logon to the computer used cached domain credentials or they
connect VPN during the logon. I think it will change the cached domain
credentials as well if you do it that way.

 

[Fred Yarbrough]

Christoffer,
Thanks for the reply. Our users normally just login to the laptops
using the domain cached credentials. They then establish a VPN connection
into our Cisco VPN concentrator. If their password has expired, the VPN
client prompts them to change their password. They can successfully change
the password but the laptop's password cache is not being updated. This
same thing happens with our dialup system. I am going to call Microsoft on
this issue. I will post the results back here.

Thanks,
Fred

 

[Fred Yarbrough]

Here is the resolution....


*** Problem Description ***

Remote users use Cisco VPN to access domain.

remote users logon to computers with cached logon

makes VPN connection with Cisco VPN client.

Radius server supports triggering of password changes that are mandated on
the

domain.

Cisco VPN client prompts users to change password for the domain. password
on the

domain gets update, but not on the local cached creds.



*** Resolution *** Dec 10 2003 2:14PM

Workaround to this issue

Cisco VPN remote users get prompted for password change via Cisco Gina.

Cisco Gina does not properly update the cached creds on the local computer.

Workaround for the customer is to change the password at the prompt, lock
the

workstation and then unlock with the new password.

This triggers the Microsoft Gina which contacts the dc and creates a secure
channel

that allows the Gina to properly update the local creds on the local
computer.

Customer should contact Cisco to correct Cisco's Gina behavior. The Cisco
Gina

should be able to trigger the proper api to force the computer to contact
the dc

and update local cached creds, without using the workaround workstation
lock.



Fred