在Juniper SSL VPN中实现更改windows域用户的密码.docx
《在Juniper SSL VPN中实现更改windows域用户的密码.docx》由会员分享,可在线阅读,更多相关《在Juniper SSL VPN中实现更改windows域用户的密码.docx(16页珍藏版)》请在冰点文库上搜索。
在JuniperSSLVPN中实现更改windows域用户的密码
在JuniperSSLVPN中实现更改windows域用户的密码
Composedbyfzhongjie
示意图如下
使用的版本
AAAServer
Windows2003R2SP2Eng
SA4000
6.0R3
MyPC
WindowsXPSP2withIE6SP2
设置windows2003
安装完windows后,将系统升级为域控制器。
安装证书服务组件
打开windows防火墙的TCP636端口和TCP389端口
打开域的安全策略管理器,修改密码策略
其中密码历史保存记录最好设为0passwordremembered,这样用户就不能使用旧密码登陆了。
最小的密码有效时间最好设为0,这样用户可以立即修改自己的密码。
其余可以按需设置。
设置完成后,必须重启域控服务器。
在试验中,我另外添加了一个管理员帐号。
帐号的Displayname为ZhongjieFan,隶属于Administrators组,在asia-link的OU中。
JuniperSA的设置
建立一个LDAP认证服务器
建立role,realm和role-mapping
确认realm中的passwordmanagement是否打开
测试
在普通用户界面测试用户密码是否能被修改
如果需要用户在首次登陆时修改密码,可以在windows的活动目录用户和计算机管理器中修改相关属性。
参考
IVE6.0中的Help
Authenticationanddirectoryservers>ConfiguringanLDAPserverinstance>EnablingLDAPpasswordmanagement
EnablingLDAPpasswordmanagement
TheIVEpasswordmanagementfeatureenablesuserswhoauthenticatethroughanLDAPservertomanagetheirpasswordsthroughtheIVEusingthepoliciesdefinedontheLDAPserver.Forexample,ifausertriestosignintotheIVEwithanLDAPpasswordthatisabouttoexpire,theIVEcatchestheexpiredpasswordnotification,presentsittotheuserthroughtheIVEinterface,andthenpassestheuser’sresponsebacktotheLDAPserverwithoutrequiringtheusertosignintotheLDAPserverseparately.
Users,administrators,andhelpdeskadministratorswhoworkinenvironmentswherepasswordshavesetexpirationtimesmayfindthepasswordmanagementfeatureveryhelpful.Whenusersarenotproperlyinformedthattheirpasswordsareabouttoexpire,theycanchangethemthemselvesthroughtheIVEratherthancallingtheHelpDesk.
Thepasswordmanagementfeatureenablesuserstochangetheirpasswordswhenpromptedoratwill.Forexample,duringthesign-inprocess,theIVEmayinformtheuserthathispasswordisexpiredorabouttoexpire.Ifexpired,theIVEpromptstheusertochangehispassword.Ifthepasswordhasnotexpired,theIVEmayallowtheusertosignintotheIVEusinghisexistingpassword.Afterhehassignedin,hemaychangehispasswordfromthePreferencespage.
Thepasswordmanagementfeatureenablesuserstochangetheirpasswordswhenpromptedoratwill.Forexample,duringthesign-inprocess,theIVEmayinformtheuserthathispasswordisexpiredorabouttoexpire.Ifexpired,theIVEpromptstheusertochangehispassword.Ifthepasswordhasnotexpired,theIVEmayallowtheusertosignintotheIVEusinghisexistingpassword.Afterhehassignedin,hemaychangehispasswordfromthePreferencespage.
Onceenabled,theIVEperformsaseriesofqueriestodetermineuseraccountinformation,suchaswhentheuser’spasswordwaslastset,ifhisaccountisexpired,andsoforth.TheIVEdoesthisbyusingitsinternalLDAPorSambaclient.Manyservers,suchasMicrosoftActiveDirectoryorSuniPlanet,offeranAdministrativeConsoletoconfigureaccountandpasswordoptions.
ThissectionincludesthefollowingtopicswithinformationabouttheLDAPpasswordmanagementfeature:
∙Tasksummary:
EnablingLDAPpasswordmanagement
∙SupportedLDAPdirectoriesandservers
∙SupportedLDAPpasswordmanagementfunctions
Tasksummary:
EnablingLDAPpasswordmanagement
ToenablepasswordmanagementthroughtheIVE,youmust:
1.InstallaUPG-PasswordManagementIntegrationlicenseortheAdvancedlicensethroughtheSystem>Configuration>Licensingpageoftheadminconsole.
2.CreateaninstanceoftheLDAPserverthroughtheAuthentication>Auth.Serverspageoftheadminconsole.
3.AssociatetheLDAPserverwitharealmthroughtheAdministrators/Users>UserRealms>[Realm]>Generalpageoftheadminconsole.
4.EnablepasswordmanagementfortherealmintheAdministrators/Users>UserRealms>[Realm]>AuthenticationPolicy>Passwordpageoftheadminconsole.NotethattheEnablePasswordManagementoptiononlyappearsiftherealm’sauthenticationserverisanLDAPorNT/ADserver.
SupportedLDAPdirectoriesandservers
TheIVEsupportspasswordmanagementwiththefollowingLDAPdirectories:
∙MicrosoftActiveDirectory/WindowsNT
∙SuniPlanet
∙NovelleDirectory
∙GenericLDAPdirectories,suchasIBMSecureDirectoryandOpenLDAP
Additionally,theIVEsupportspasswordmanagementwiththefollowingWindowsservers:
∙MicrosoftActiveDirectory
∙MicrosoftActiveDirectory2003
∙WindowsNT4.0
Thefollowingsectionslistspecificissuesrelatedtoindividualservertypes.
MicrosoftActiveDirectory
∙ChangesontheActiveDirectorydomainsecuritypolicymaytake5minutesormoretopropagateamongActiveDirectorydomaincontrollers.Additionally,thisinformationdoesnotpropagatetothedomaincontrolleronwhichitwasoriginallyconfiguredforthesametimeperiod.ThisisalimitationofActiveDirectory.
∙WhenchangingpasswordsinActiveDirectoryusingLDAP,theIVEautomaticallyswitchestoLDAPS,evenifLDAPSisnottheconfiguredLDAPmethod.TosupportLDAPSontheActiveDirectoryserver,youmustinstallavalidSSLcertificateintotheserver’spersonalcertificatestore.NotethatthecertificatemustbesignedbyatrustedCAandtheCNinthecertificate’sSubjectfieldmustcontaintheexacthostnameoftheActiveDirectoryserver,forexample:
.Toinstallthecertificate,selecttheCertificatesSnap-InintheMicrosoftManagementConsole(MMC).
∙TheAccountExpiresoptionintheUserAccountPropertiestabonlychangeswhentheaccountexpires,notwhenthepasswordexpires.AsexplainedinSupportedLDAPpasswordmanagementfunctions,MicrosoftActiveDirectorycalculatesthepasswordexpirationusingtheMaximumPasswordAgeandPasswordLastSetvaluesretrievedfromtheUserPolicyandDomainSecurityPolicyLDAPobjects.
SuniPlanet
WhenyouselecttheUsermustchangepasswordafterresetoptionontheiPlanetserver,youmustalsoresettheuser’spasswordbeforethisfunctiontakeseffect.ThisisalimitationofiPlanet.
General
TheIVEonlydisplaysawarningaboutpasswordexpiryifthepasswordisscheduledtoexpirein14daysorless.TheIVEdisplaysthemessageduringeachIVEsigninattempt.Thewarningmessagecontainstheremainingnumberofdays,hours,andminutesthattheuserhastochangehispasswordbeforeitexpiresontheserver.Thedefaultvalueis14days;however,youmaychangeitthroughtheAdministrators|Users>AdminRealms|UserRealms>Authorization>Passwordconfigurationpageoftheadminconsole.
SupportedLDAPpasswordmanagementfunctions
ThefollowingmatrixdescribesthepasswordmanagementfunctionssupportedbyJuniperNetworks,theircorrespondingfunctionnamesintheindividualLDAPdirectories,andanyadditionalrelevantdetails.ThesefunctionsmustbesetthroughtheLDAPserveritselfbeforetheIVEcanpassthecorrespondingmessages,functions,andrestrictionstoend-users.WhenauthenticatingagainstagenericLDAPserver,suchasIBMSecureDirectory,theIVEonlysupportsauthenticationandallowinguserstochangetheirpasswords.
Table7:
Supportedpasswordmanagementfunctions
Function
ActiveDirectory
iPlanet
NovelleDirectory
Generic
Authenticateuser
unicodePwd
userPassword
userPassword
userPassword
Allowusertochangepasswordiflicensedandifenabled
Servertellsusinbindresponse(usesntSecurityDescriptor)
IfpasswordChange==ON
IfpasswordAllowChange==TRUE
Yes
Logoutuserafterpasswordchange
Yes
Yes
Yes
Yes
Forcepasswordchangeatnextlogin
IfpwdLastSet==0
IfpasswordMustChange==ON
IfpwdMustChange==TRUE
Passwordexpirednotification
userAccountControl==0x80000
IfBindResponseincludesOID
2.16.840.1.113730.3.4.4==0
Checkdate/timevalueinpasswordExpirationTime
Passwordexpirationnotification(inXdays/hours)
ifpwdLastSet-now()(maxPwdAgeisreadfromdomainattributes)
(IVEdisplayswarningiflessthan14days)
IfBindResponseincludescontrolOID2.16.840.1.113730.3.4.5(containsdate/time)
(IVEdisplayswarningiflessthan14days)
Ifnow()-passwordExpirationTime<14days
(IVEdisplayswarningiflessthan14days)
Disallowauthenticationif"accountdisabled/locked
userAccountControl==0x2(Disabled)
accountExpires
userAccountControl==0x10(Locked)
lockoutTime
BindErrorCode:
53"AccountInactivated"
BindErrorCode:
19"ExceedPasswordRetryLimit"
BindErrorCode:
53"AccountExpired"
BindErrorCode:
53"LoginLockout"
Honor"passwordhistory"
Servertellsusinbindresponse
Servertellsusinbindresponse
Servertellsusinbindresponse
Enforce"minimumpasswordlength"
Ifset,IVEdisplaysmessagetellinguserminPwdLength
Ifset,IVEdisplaysmessagetellinguserpasswordMinLength
Ifset,IVEdisplaysmessagetellinguserpasswordMinimumLength
Disallowuserfromchangingpasswordtoosoon
IfpwdLastSet-now()
IfpasswordMinAge>0,
thenifnow()isearlierthanpasswordAllowChangeTime,thenwedisallow
Servertellsusinbindresponse
Honor"passwordcomplexity"
IfpwdProperties==0x1,thenenabled.Complexitymeansthenewpassworddoesnotcontainusername,firstorlastname,andmustcontaincharactersfrom3ofthefollowing4categories:
Englishuppercase,Englishlowercase,Digits,andNon-alphabeticcharacters(ex.!
$,%)
Servertellsusinbindresponse
Servertellsusinbindresponse
AD/NTPasswordManagementMatrix
ThefollowingmatrixdescribesthePasswordManagementfunctionssupportedbyJuniperNetworks.
Table8:
AD/NTPasswordManagementMatrix
Function
ActiveDirectory
ActiveDirectory2003
WindowsNT
Authenticateuser