topic Re: Allow change password option and Global Catalog domain controllers in Workspace ONE Discussions

Allow change password option and Global Catalog domain controllers

VirtualSven — Tue, 13 Sep 2016 19:53:53 GMT

Question about changing expired passwords with Identity Manager. The documentation says: “The Allow Change Password option is not available for Active Directory environments that use a global catalog.”

Why is this? And if I have an environment with 2 DCs which are both GC, I cannot use this functionality? Can't you have gobal catalog servers at all in your environment? I think all of my customer environments uses Global catalog servers in their infrastructure...

Re: Allow change password option and Global Catalog domain controllers

VirtualSven — Thu, 15 Sep 2016 07:29:34 GMT

It is not listed in the documentation as a requirement, but does vIDM need a secure LDAP connection with the domain if you want to allow password change through vIDM? If I read this, it should:

https://technet.microsoft.com/en-us/library/cc514301.aspx

Re: Allow change password option and Global Catalog domain controllers

FerrerDeCouto — Fri, 16 Dec 2016 16:50:28 GMT

Hi Sven,

Did you figure out how to make this feagure works?

I'm facing the same issues like you. The feature is not working and I guess it's because even if you configure the certificate, the java application is using ldap instead of ldaps. This is like in vRO when you want to use the AD plugin and run the "Add user with password" workflow. Have the certs configured and use 636 is a requirement.

Regards,

Jose Gomez

Re: Allow change password option and Global Catalog domain controllers

VirtualSven — Wed, 21 Dec 2016 13:28:10 GMT

It's working with Global catalog servers in the domain and without ssl connection to the domain. However, at the customer it is currently still not working, VMware support is trying to figure it out.

Re: Allow change password option and Global Catalog domain controllers

pbjork — Thu, 29 Dec 2016 06:39:40 GMT

Our manual has been updated.. It was a little misleading before.. Now it states:

When a directory is added to VMware Identity Manager as a Global Catalog, the Allow Change Password option is not available. Directories can be added as Active Directory over LDAP or Integrated Windows Authentication, using ports 389 or 636.

So password change works as long as you are not using the Global Catalog ports to connect to your Domain Controller..

Re: Allow change password option and Global Catalog domain controllers

FerrerDeCouto — Thu, 29 Dec 2016 07:18:10 GMT

‌I am using Integrated Windows Authentication ans LDAPS over port 636 but it doesn't work. By the way, this is happening with the vIDM embedded in vRA and the configuration is made through vRA. I don't recall to see any Global Catalog option when it's vRA.

Re: Allow change password option and Global Catalog domain controllers

pbjork — Thu, 29 Dec 2016 07:20:43 GMT

I think vRA is using an older version of the Identity Manager bits so I do not thing Password Change is supported. AD Password Change was just recently added to VMware Identity Manager.. But I'm not 100% sure since I do not really cover vRA..