Expired password change through VPN failure

Posted by Tim Alexander on Server Fault See other posts from Server Fault or by Tim Alexander
Published on 2013-08-01T12:36:45Z Indexed on 2013/08/02 15:41 UTC
Read the original article Hit count: 321

Filed under:
|
|
|

I am setting up some new accounts to be used by some contractors. they are going to connect via VPN to our network. My requirement is to set the password initially and then have them change it the first time they log in. As a result the "User must Change Password" box is checked.

Loading up a laptop and testing has yielded poor results. When logging in I get a notification that the password has expired and a box to fill in, which I do. it then appears again so I dutifully fill in the password details again. I am then presented with a "Sending Password...." error box with Error:619 listed as the reason. Trying to reconnect then gives a 691 error that the password is bad.

From the firewall, that is the actualy VPN server, I can see RAD_ACCESS_DENIED and from the DC running NPS (acting as a RADIUS server for the firewall with MS-CHAP-v2 enabled with the "User can change password after it has expired" checked) I cannot see a request to change the password. I can only see Event ID 4776, 4625 and 6273 (reason 16).

I can log in with out the change password flag fine so I know logins are being authenticated. Really hoping someone might be able to assist in tracking down the lack of password change processin gon the DC.

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about vpn