在Juniper SSL VPN中实现更改windows域用户的密码.docx
- 文档编号:8806134
- 上传时间:2023-05-15
- 格式:DOCX
- 页数:16
- 大小:1.16MB
在Juniper SSL VPN中实现更改windows域用户的密码.docx
《在Juniper SSL VPN中实现更改windows域用户的密码.docx》由会员分享,可在线阅读,更多相关《在Juniper SSL VPN中实现更改windows域用户的密码.docx(16页珍藏版)》请在冰点文库上搜索。
在JuniperSSLVPN中实现更改windows域用户的密码
在JuniperSSLVPN中实现更改windows域用户的密码
Composedbyfzhongjie
示意图如下
使用的版本
AAAServer
Windows2003R2SP2Eng
SA4000
6.0R3
MyPC
WindowsXPSP2withIE6SP2
设置windows2003
安装完windows后,将系统升级为域控制器。
安装证书服务组件
打开windows防火墙的TCP636端口和TCP389端口
打开域的安全策略管理器,修改密码策略
其中密码历史保存记录最好设为0passwordremembered,这样用户就不能使用旧密码登陆了。
最小的密码有效时间最好设为0,这样用户可以立即修改自己的密码。
其余可以按需设置。
设置完成后,必须重启域控服务器。
在试验中,我另外添加了一个管理员帐号。
帐号的Displayname为ZhongjieFan,隶属于Administrators组,在asia-link的OU中。
JuniperSA的设置
建立一个LDAP认证服务器
建立role,realm和role-mapping
确认realm中的passwordmanagement是否打开
测试
在普通用户界面测试用户密码是否能被修改
如果需要用户在首次登陆时修改密码,可以在windows的活动目录用户和计算机管理器中修改相关属性。
参考
IVE6.0中的Help
Authenticationanddirectoryservers>ConfiguringanLDAPserverinstance>EnablingLDAPpasswordmanagement
EnablingLDAPpasswordmanagement
TheIVEpasswordmanagementfeatureenablesuserswhoauthenticatethroughanLDAPservertomanagetheirpasswordsthroughtheIVEusingthepoliciesdefinedontheLDAPserver.Forexample,ifausertriestosignintotheIVEwithanLDAPpasswordthatisabouttoexpire,theIVEcatchestheexpiredpasswordnotification,presentsittotheuserthroughtheIVEinterface,andthenpassestheuser’sresponsebacktotheLDAPserverwithoutrequiringtheusertosignintotheLDAPserverseparately.
Users,administrators,andhelpdeskadministratorswhoworkinenvironmentswherepasswordshavesetexpirationtimesmayfindthepasswordmanagementfeatureveryhelpful.Whenusersarenotproperlyinformedthattheirpasswordsareabouttoexpire,theycanchangethemthemselvesthroughtheIVEratherthancallingtheHelpDesk.
Thepasswordmanagementfeatureenablesuserstochangetheirpasswordswhenpromptedoratwill.Forexample,duringthesign-inprocess,theIVEmayinformtheuserthathispasswordisexpiredorabouttoexpire.Ifexpired,theIVEpromptstheusertochangehispassword.Ifthepasswordhasnotexpired,theIVEmayallowtheusertosignintotheIVEusinghisexistingpassword.Afterhehassignedin,hemaychangehispasswordfromthePreferencespage.
Thepasswordmanagementfeatureenablesuserstochangetheirpasswordswhenpromptedoratwill.Forexample,duringthesign-inprocess,theIVEmayinformtheuserthathispasswordisexpiredorabouttoexpire.Ifexpired,theIVEpromptstheusertochangehispassword.Ifthepasswordhasnotexpired,theIVEmayallowtheusertosignintotheIVEusinghisexistingpassword.Afterhehassignedin,hemaychangehispasswordfromthePreferencespage.
Onceenabled,theIVEperformsaseriesofqueriestodetermineuseraccountinformation,suchaswhentheuser’spasswordwaslastset,ifhisaccountisexpired,andsoforth.TheIVEdoesthisbyusingitsinternalLDAPorSambaclient.Manyservers,suchasMicrosoftActiveDirectoryorSuniPlanet,offeranAdministrativeConsoletoconfigureaccountandpasswordoptions.
ThissectionincludesthefollowingtopicswithinformationabouttheLDAPpasswordmanagementfeature:
∙Tasksummary:
EnablingLDAPpasswordmanagement
∙SupportedLDAPdirectoriesandservers
∙SupportedLDAPpasswordmanagementfunctions
Tasksummary:
EnablingLDAPpasswordmanagement
ToenablepasswordmanagementthroughtheIVE,youmust:
1.InstallaUPG-PasswordManagementIntegrationlicenseortheAdvancedlicensethroughtheSystem>Configuration>Licensingpageoftheadminconsole.
2.CreateaninstanceoftheLDAPserverthroughtheAuthentication>Auth.Serverspageoftheadminconsole.
3.AssociatetheLDAPserverwitharealmthroughtheAdministrators/Users>UserRealms>[Realm]>Generalpageoftheadminconsole.
4.EnablepasswordmanagementfortherealmintheAdministrators/Users>UserRealms>[Realm]>AuthenticationPolicy>Passwordpageoftheadminconsole.NotethattheEnablePasswordManagementoptiononlyappearsiftherealm’sauthenticationserverisanLDAPorNT/ADserver.
SupportedLDAPdirectoriesandservers
TheIVEsupportspasswordmanagementwiththefollowingLDAPdirectories:
∙MicrosoftActiveDirectory/WindowsNT
∙SuniPlanet
∙NovelleDirectory
∙GenericLDAPdirectories,suchasIBMSecureDirectoryandOpenLDAP
Additionally,theIVEsupportspasswordmanagementwiththefollowingWindowsservers:
∙MicrosoftActiveDirectory
∙MicrosoftActiveDirectory2003
∙WindowsNT4.0
Thefollowingsectionslistspecificissuesrelatedtoindividualservertypes.
MicrosoftActiveDirectory
∙ChangesontheActiveDirectorydomainsecuritypolicymaytake5minutesormoretopropagateamongActiveDirectorydomaincontrollers.Additionally,thisinformationdoesnotpropagatetothedomaincontrolleronwhichitwasoriginallyconfiguredforthesametimeperiod.ThisisalimitationofActiveDirectory.
∙WhenchangingpasswordsinActiveDirectoryusingLDAP,theIVEautomaticallyswitchestoLDAPS,evenifLDAPSisnottheconfiguredLDAPmethod.TosupportLDAPSontheActiveDirectoryserver,youmustinstallavalidSSLcertificateintotheserver’spersonalcertificatestore.NotethatthecertificatemustbesignedbyatrustedCAandtheCNinthecertificate’sSubjectfieldmustcontaintheexacthostnameoftheActiveDirectoryserver,forexample:
.Toinstallthecertificate,selecttheCertificatesSnap-InintheMicrosoftManagementConsole(MMC).
∙TheAccountExpiresoptionintheUserAccountPropertiestabonlychangeswhentheaccountexpires,notwhenthepasswordexpires.AsexplainedinSupportedLDAPpasswordmanagementfunctions,MicrosoftActiveDirectorycalculatesthepasswordexpirationusingtheMaximumPasswordAgeandPasswordLastSetvaluesretrievedfromtheUserPolicyandDomainSecurityPolicyLDAPobjects.
SuniPlanet
WhenyouselecttheUsermustchangepasswordafterresetoptionontheiPlanetserver,youmustalsoresettheuser’spasswordbeforethisfunctiontakeseffect.ThisisalimitationofiPlanet.
General
TheIVEonlydisplaysawarningaboutpasswordexpiryifthepasswordisscheduledtoexpirein14daysorless.TheIVEdisplaysthemessageduringeachIVEsigninattempt.Thewarningmessagecontainstheremainingnumberofdays,hours,andminutesthattheuserhastochangehispasswordbeforeitexpiresontheserver.Thedefaultvalueis14days;however,youmaychangeitthroughtheAdministrators|Users>AdminRealms|UserRealms>Authorization>Passwordconfigurationpageoftheadminconsole.
SupportedLDAPpasswordmanagementfunctions
ThefollowingmatrixdescribesthepasswordmanagementfunctionssupportedbyJuniperNetworks,theircorrespondingfunctionnamesintheindividualLDAPdirectories,andanyadditionalrelevantdetails.ThesefunctionsmustbesetthroughtheLDAPserveritselfbeforetheIVEcanpassthecorrespondingmessages,functions,andrestrictionstoend-users.WhenauthenticatingagainstagenericLDAPserver,suchasIBMSecureDirectory,theIVEonlysupportsauthenticationandallowinguserstochangetheirpasswords.
Table7:
Supportedpasswordmanagementfunctions
Function
ActiveDirectory
iPlanet
NovelleDirectory
Generic
Authenticateuser
unicodePwd
userPassword
userPassword
userPassword
Allowusertochangepasswordiflicensedandifenabled
Servertellsusinbindresponse(usesntSecurityDescriptor)
IfpasswordChange==ON
IfpasswordAllowChange==TRUE
Yes
Logoutuserafterpasswordchange
Yes
Yes
Yes
Yes
Forcepasswordchangeatnextlogin
IfpwdLastSet==0
IfpasswordMustChange==ON
IfpwdMustChange==TRUE
Passwordexpirednotification
userAccountControl==0x80000
IfBindResponseincludesOID
2.16.840.1.113730.3.4.4==0
Checkdate/timevalueinpasswordExpirationTime
Passwordexpirationnotification(inXdays/hours)
ifpwdLastSet-now() (maxPwdAgeisreadfromdomainattributes) (IVEdisplayswarningiflessthan14days) IfBindResponseincludescontrolOID2.16.840.1.113730.3.4.5(containsdate/time) (IVEdisplayswarningiflessthan14days) Ifnow()-passwordExpirationTime<14days (IVEdisplayswarningiflessthan14days) Disallowauthenticationif"accountdisabled/locked userAccountControl==0x2(Disabled) accountExpires userAccountControl==0x10(Locked) lockoutTime BindErrorCode: 53"AccountInactivated" BindErrorCode: 19"ExceedPasswordRetryLimit" BindErrorCode: 53"AccountExpired" BindErrorCode: 53"LoginLockout" Honor"passwordhistory" Servertellsusinbindresponse Servertellsusinbindresponse Servertellsusinbindresponse Enforce"minimumpasswordlength" Ifset,IVEdisplaysmessagetellinguserminPwdLength Ifset,IVEdisplaysmessagetellinguserpasswordMinLength Ifset,IVEdisplaysmessagetellinguserpasswordMinimumLength Disallowuserfromchangingpasswordtoosoon IfpwdLastSet-now() IfpasswordMinAge>0, thenifnow()isearlierthanpasswordAllowChangeTime,thenwedisallow Servertellsusinbindresponse Honor"passwordcomplexity" IfpwdProperties==0x1,thenenabled.Complexitymeansthenewpassworddoesnotcontainusername,firstorlastname,andmustcontaincharactersfrom3ofthefollowing4categories: Englishuppercase,Englishlowercase,Digits,andNon-alphabeticcharacters(ex.! $,%) Servertellsusinbindresponse Servertellsusinbindresponse AD/NTPasswordManagementMatrix ThefollowingmatrixdescribesthePasswordManagementfunctionssupportedbyJuniperNetworks. Table8: AD/NTPasswordManagementMatrix Function ActiveDirectory ActiveDirectory2003 WindowsNT Authenticateuser
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 在Juniper SSL VPN中实现更改windows域用户的密码 Juniper VPN 实现 更改 windows 用户 密码