VirtualSven
Hot Shot
Hot Shot

Allow change password option and Global Catalog domain controllers

Question about changing expired passwords with Identity Manager. The documentation says: “The Allow Change Password option is not available for Active Directory environments that use a global catalog.”

Why is this? And if I have an environment with 2 DCs which are both GC, I cannot use this functionality? Can't you have gobal catalog servers at all in your environment? I think all of my customer environments uses Global catalog servers in their infrastructure...

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com
0 Kudos
6 Replies
VirtualSven
Hot Shot
Hot Shot

It is not listed in the documentation as a requirement, but does vIDM need a secure LDAP connection with the domain if you want to allow password change through vIDM? If I read this, it should:

https://technet.microsoft.com/en-us/library/cc514301.aspx

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com
0 Kudos
FerrerDeCouto
Commander
Commander

Hi Sven,

Did you figure out how to make this feagure works?

I'm facing the same issues like you. The feature is not working and I guess it's because even if you configure the certificate, the java application is using ldap instead of ldaps. This is like in vRO when you want to use the AD plugin and run the "Add user with password" workflow. Have the certs configured and use 636 is a requirement.

Regards,

Jose Gomez

José Luis Gómez Ferrer de Couto Founder of PiPo e2H Blog: http://blog.e2h.net Si encuentras que esta o cualquier otra respuesta fue de utilidad, por favor da el voto. Gracias. If you find this or any other answer useful, please consider awarding points. Thank you.
0 Kudos
VirtualSven
Hot Shot
Hot Shot

It's working with Global catalog servers in the domain and without ssl connection to the domain. However, at the customer it is currently still not working, VMware support is trying to figure it out.

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com
0 Kudos
pbjork
VMware Employee
VMware Employee

Our manual has been updated.. It was a little misleading before.. Now it states:

When a directory is added to VMware Identity Manager as a Global Catalog, the Allow Change Password option is not available. Directories can be added as Active Directory over LDAP or Integrated Windows Authentication, using ports 389 or 636.

So password change works as long as you are not using the Global Catalog ports to connect to your Domain Controller..

0 Kudos
FerrerDeCouto
Commander
Commander

‌I am using Integrated Windows Authentication ans LDAPS over port 636 but it doesn't work. By the way, this is happening with the vIDM embedded in vRA and the configuration is made through vRA. I don't recall to see any Global Catalog option when it's vRA.

José Luis Gómez Ferrer de Couto Founder of PiPo e2H Blog: http://blog.e2h.net Si encuentras que esta o cualquier otra respuesta fue de utilidad, por favor da el voto. Gracias. If you find this or any other answer useful, please consider awarding points. Thank you.
0 Kudos
pbjork
VMware Employee
VMware Employee

I think vRA is using an older version of the Identity Manager bits so I do not thing Password Change is supported. AD Password Change was just recently added to VMware Identity Manager.. But I'm not 100% sure since I do not really cover vRA..

0 Kudos