05-19-2008 08:18 AM
Originally my SA-4000 was running 5.3 code and password management worked. Upgraded to 5.5 OS and the login banner for password expiration stopped working (among other things ) but users could still change their password under preferences.
In order to fix a network connect issue with 5.5, I upgraded to 6.1R2-1 (latest version). It seems to have restored my Password Expiration warning (still hasn't fixed my NC issue), but now it refuses to let the users change their password. So now when a user logs in and it says "Password Expired, you must change it" it won't let them. It just tells them "Could not change password".
I'm using LDAPS, the certs on my Auth servers are valid, and my CA is trusted by the IVE.
I'm not sure what else to do at this point.
Solved! Go to Solution.
05-20-2008 06:07 PM
Not sure if this is a bug in 6.1R2-1, but here is a URL that may help you troubleshoot this issue. If this doesn't help you may want to contact the TAC and have them help debug your issue.
05-22-2008 08:33 AM - edited 07-07-2008 01:33 PM
Seems that the IVE OS's are full of bugs. Everytime I have one, the solution from Juniper is always to upgrade to another version. Then, it might fix it (most of the time it doesn't), and it breaks something else. I've had a case open with JTAC over Network Connect issues for almost a year and have upgraded and rolled back over 5 times to try and fix it. Started when I went to 5.3 and hasn't been right since.
Currently I am at 6.0R5.
05-28-2008 07:20 PM
06-04-2008 07:57 AM
06-06-2008 12:48 PM
Gentlemen, thanks for the info. I've always used the Administrator for the domain. It was set up like that by my predecessor.
I even tried other accounts, domain admins, users etc. No joy.
It worked in 5.5. Config didn't change between upgrades.
07-07-2008 01:27 PM
This has been fixed.
Basically in the auth server it had SamAccountname=<USERNAME> for authentication and 6.0R5 doesn't like that.
JTAC had me change it to SamAccountname=<USER> and voila! Problem fixed.