在Juniper SSL VPN中实现更改windows域用户的密码.docx

资源描述

在Juniper SSL VPN中实现更改windows域用户的密码.docx

《在Juniper SSL VPN中实现更改windows域用户的密码.docx》由会员分享，可在线阅读，更多相关《在Juniper SSL VPN中实现更改windows域用户的密码.docx（16页珍藏版）》请在冰点文库上搜索。

在Juniper SSL VPN中实现更改windows域用户的密码.docx

在JuniperSSLVPN中实现更改windows域用户的密码

Composedbyfzhongjie

示意图如下

使用的版本

AAAServer

Windows2003R2SP2Eng

SA4000

6.0R3

MyPC

WindowsXPSP2withIE6SP2

设置windows2003

安装完windows后，将系统升级为域控制器。

安装证书服务组件

打开windows防火墙的TCP636端口和TCP389端口

打开域的安全策略管理器，修改密码策略

其中密码历史保存记录最好设为0passwordremembered，这样用户就不能使用旧密码登陆了。

最小的密码有效时间最好设为0，这样用户可以立即修改自己的密码。

其余可以按需设置。

设置完成后，必须重启域控服务器。

在试验中，我另外添加了一个管理员帐号。

帐号的Displayname为ZhongjieFan，隶属于Administrators组，在asia-link的OU中。

JuniperSA的设置

建立一个LDAP认证服务器

建立role，realm和role-mapping

确认realm中的passwordmanagement是否打开

测试

在普通用户界面测试用户密码是否能被修改

如果需要用户在首次登陆时修改密码，可以在windows的活动目录用户和计算机管理器中修改相关属性。

参考

IVE6.0中的Help

Authenticationanddirectoryservers>ConfiguringanLDAPserverinstance>EnablingLDAPpasswordmanagement

EnablingLDAPpasswordmanagement

TheIVEpasswordmanagementfeatureenablesuserswhoauthenticatethroughanLDAPservertomanagetheirpasswordsthroughtheIVEusingthepoliciesdefinedontheLDAPserver.Forexample,ifausertriestosignintotheIVEwithanLDAPpasswordthatisabouttoexpire,theIVEcatchestheexpiredpasswordnotification,presentsittotheuserthroughtheIVEinterface,andthenpassestheuser’sresponsebacktotheLDAPserverwithoutrequiringtheusertosignintotheLDAPserverseparately.

Users,administrators,andhelpdeskadministratorswhoworkinenvironmentswherepasswordshavesetexpirationtimesmayfindthepasswordmanagementfeatureveryhelpful.Whenusersarenotproperlyinformedthattheirpasswordsareabouttoexpire,theycanchangethemthemselvesthroughtheIVEratherthancallingtheHelpDesk.

Thepasswordmanagementfeatureenablesuserstochangetheirpasswordswhenpromptedoratwill.Forexample,duringthesign-inprocess,theIVEmayinformtheuserthathispasswordisexpiredorabouttoexpire.Ifexpired,theIVEpromptstheusertochangehispassword.Ifthepasswordhasnotexpired,theIVEmayallowtheusertosignintotheIVEusinghisexistingpassword.Afterhehassignedin,hemaychangehispasswordfromthePreferencespage.

Onceenabled,theIVEperformsaseriesofqueriestodetermineuseraccountinformation,suchaswhentheuser’spasswordwaslastset,ifhisaccountisexpired,andsoforth.TheIVEdoesthisbyusingitsinternalLDAPorSambaclient.Manyservers,suchasMicrosoftActiveDirectoryorSuniPlanet,offeranAdministrativeConsoletoconfigureaccountandpasswordoptions.

ThissectionincludesthefollowingtopicswithinformationabouttheLDAPpasswordmanagementfeature:

∙Tasksummary:

EnablingLDAPpasswordmanagement

∙SupportedLDAPdirectoriesandservers

∙SupportedLDAPpasswordmanagementfunctions

Tasksummary:

EnablingLDAPpasswordmanagement

ToenablepasswordmanagementthroughtheIVE,youmust:

1.InstallaUPG-PasswordManagementIntegrationlicenseortheAdvancedlicensethroughtheSystem>Configuration>Licensingpageoftheadminconsole.

2.CreateaninstanceoftheLDAPserverthroughtheAuthentication>Auth.Serverspageoftheadminconsole.

3.AssociatetheLDAPserverwitharealmthroughtheAdministrators/Users>UserRealms>[Realm]>Generalpageoftheadminconsole.

4.EnablepasswordmanagementfortherealmintheAdministrators/Users>UserRealms>[Realm]>AuthenticationPolicy>Passwordpageoftheadminconsole.NotethattheEnablePasswordManagementoptiononlyappearsiftherealm’sauthenticationserverisanLDAPorNT/ADserver.

SupportedLDAPdirectoriesandservers

TheIVEsupportspasswordmanagementwiththefollowingLDAPdirectories:

∙MicrosoftActiveDirectory/WindowsNT

∙SuniPlanet

∙NovelleDirectory

∙GenericLDAPdirectories,suchasIBMSecureDirectoryandOpenLDAP

Additionally,theIVEsupportspasswordmanagementwiththefollowingWindowsservers:

∙MicrosoftActiveDirectory

∙MicrosoftActiveDirectory2003

∙WindowsNT4.0

Thefollowingsectionslistspecificissuesrelatedtoindividualservertypes.

MicrosoftActiveDirectory

∙ChangesontheActiveDirectorydomainsecuritypolicymaytake5minutesormoretopropagateamongActiveDirectorydomaincontrollers.Additionally,thisinformationdoesnotpropagatetothedomaincontrolleronwhichitwasoriginallyconfiguredforthesametimeperiod.ThisisalimitationofActiveDirectory.

∙WhenchangingpasswordsinActiveDirectoryusingLDAP,theIVEautomaticallyswitchestoLDAPS,evenifLDAPSisnottheconfiguredLDAPmethod.TosupportLDAPSontheActiveDirectoryserver,youmustinstallavalidSSLcertificateintotheserver’spersonalcertificatestore.NotethatthecertificatemustbesignedbyatrustedCAandtheCNinthecertificate’sSubjectfieldmustcontaintheexacthostnameoftheActiveDirectoryserver,forexample:

.Toinstallthecertificate,selecttheCertificatesSnap-InintheMicrosoftManagementConsole（MMC）.

∙TheAccountExpiresoptionintheUserAccountPropertiestabonlychangeswhentheaccountexpires,notwhenthepasswordexpires.AsexplainedinSupportedLDAPpasswordmanagementfunctions,MicrosoftActiveDirectorycalculatesthepasswordexpirationusingtheMaximumPasswordAgeandPasswordLastSetvaluesretrievedfromtheUserPolicyandDomainSecurityPolicyLDAPobjects.

SuniPlanet

WhenyouselecttheUsermustchangepasswordafterresetoptionontheiPlanetserver,youmustalsoresettheuser’spasswordbeforethisfunctiontakeseffect.ThisisalimitationofiPlanet.

General

TheIVEonlydisplaysawarningaboutpasswordexpiryifthepasswordisscheduledtoexpirein14daysorless.TheIVEdisplaysthemessageduringeachIVEsigninattempt.Thewarningmessagecontainstheremainingnumberofdays,hours,andminutesthattheuserhastochangehispasswordbeforeitexpiresontheserver.Thedefaultvalueis14days;however,youmaychangeitthroughtheAdministrators|Users>AdminRealms|UserRealms>Authorization>Passwordconfigurationpageoftheadminconsole.

SupportedLDAPpasswordmanagementfunctions

ThefollowingmatrixdescribesthepasswordmanagementfunctionssupportedbyJuniperNetworks,theircorrespondingfunctionnamesintheindividualLDAPdirectories,andanyadditionalrelevantdetails.ThesefunctionsmustbesetthroughtheLDAPserveritselfbeforetheIVEcanpassthecorrespondingmessages,functions,andrestrictionstoend-users.WhenauthenticatingagainstagenericLDAPserver,suchasIBMSecureDirectory,theIVEonlysupportsauthenticationandallowinguserstochangetheirpasswords.

Table7:

Supportedpasswordmanagementfunctions

Function

ActiveDirectory

iPlanet

NovelleDirectory

Generic

Authenticateuser

unicodePwd

userPassword

Allowusertochangepasswordiflicensedandifenabled

Servertellsusinbindresponse（usesntSecurityDescriptor）

IfpasswordChange==ON

IfpasswordAllowChange==TRUE

Yes

Logoutuserafterpasswordchange

Yes

Forcepasswordchangeatnextlogin

IfpwdLastSet==0

IfpasswordMustChange==ON

IfpwdMustChange==TRUE

Passwordexpirednotification

userAccountControl==0x80000

IfBindResponseincludesOID

2.16.840.1.113730.3.4.4==0

Checkdate/timevalueinpasswordExpirationTime

Passwordexpirationnotification（inXdays/hours）

ifpwdLastSet-now（）

（maxPwdAgeisreadfromdomainattributes）

（IVEdisplayswarningiflessthan14days）

IfBindResponseincludescontrolOID2.16.840.1.113730.3.4.5（containsdate/time）

（IVEdisplayswarningiflessthan14days）

Ifnow（）-passwordExpirationTime<14days

（IVEdisplayswarningiflessthan14days）

Disallowauthenticationif"accountdisabled/locked

userAccountControl==0x2（Disabled）

accountExpires

userAccountControl==0x10（Locked）

lockoutTime

BindErrorCode:

53"AccountInactivated"

BindErrorCode:

19"ExceedPasswordRetryLimit"

BindErrorCode:

53"AccountExpired"

BindErrorCode:

53"LoginLockout"

Honor"passwordhistory"

Servertellsusinbindresponse

Enforce"minimumpasswordlength"

Ifset,IVEdisplaysmessagetellinguserminPwdLength

Ifset,IVEdisplaysmessagetellinguserpasswordMinLength

Ifset,IVEdisplaysmessagetellinguserpasswordMinimumLength

Disallowuserfromchangingpasswordtoosoon

IfpwdLastSet-now（）

IfpasswordMinAge>0,

thenifnow（）isearlierthanpasswordAllowChangeTime,thenwedisallow

Servertellsusinbindresponse

Honor"passwordcomplexity"

IfpwdProperties==0x1,thenenabled.Complexitymeansthenewpassworddoesnotcontainusername,firstorlastname,andmustcontaincharactersfrom3ofthefollowing4categories:

Englishuppercase,Englishlowercase,Digits,andNon-alphabeticcharacters（ex.!

$,%）

Servertellsusinbindresponse

AD/NTPasswordManagementMatrix

ThefollowingmatrixdescribesthePasswordManagementfunctionssupportedbyJuniperNetworks.

Table8:

AD/NTPasswordManagementMatrix

Function

ActiveDirectory

ActiveDirectory2003

WindowsNT

Authenticateuser

展开阅读全文