VMware Workspace ONE Community
agalliasistju
Enthusiast
Enthusiast
‎01-08-2019 06:13 AM
Jump to solution

Password Expiration - Change

Hello all, We have been using Workspace One (Identity Manager) for about 1 year now.  We want to allow users to reset their password upon login (when the password has expired).  We enabled the checkbox to allow users to reset their passwords. 

We have Identity Manager nodes on the DMZ and Identity manager Connectors on the internal network.  The Connectors are used for AD authentication + AD synchronization. 

Even though we enabled the checkbox to allow users to reset their passwords our testing has proven unsuccessful.  I read the documentation, does anyone have a similar deployment (where this is working)?  Or anyone with insight beyond the documentation from VMware?

Labels (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
agalliasistju
Enthusiast
Enthusiast
‎01-09-2019 07:37 AM
Jump to solution

We now know that this issue is related to the alternative UPN suffix we have selected.

Prerequisites

  • The domain functional level of the Active Directory domain controllers must be set to Windows 2008 or later.
  • Port 464 must be open from VMware Identity Manager to the domain controllers. In a SaaS deployment, port 464 must be open from the VMware Identity Manager connector to the domain controllers.
  • The Active Directory must use one of the following UPN formats:
    • Regular UPN format: samaccountname@domain
    • Alternative UPN prefix format: alternativePrefix@domain
    • Alternative UPN suffix format: samaccountname@alternativeSuffix
    The UPN format of alternativePrefix@alternativeSuffix is not supported.
  • Clocks on the connector and the domain controllers must be synchronized.
  • The Allow Change Password option is available with connector version 2016.11.1 and later.

View solution in original post

Reply
0 Kudos
1 Reply
agalliasistju
Enthusiast
Enthusiast
‎01-09-2019 07:37 AM
Jump to solution

We now know that this issue is related to the alternative UPN suffix we have selected.

Prerequisites

  • The domain functional level of the Active Directory domain controllers must be set to Windows 2008 or later.
  • Port 464 must be open from VMware Identity Manager to the domain controllers. In a SaaS deployment, port 464 must be open from the VMware Identity Manager connector to the domain controllers.
  • The Active Directory must use one of the following UPN formats:
    • Regular UPN format: samaccountname@domain
    • Alternative UPN prefix format: alternativePrefix@domain
    • Alternative UPN suffix format: samaccountname@alternativeSuffix
    The UPN format of alternativePrefix@alternativeSuffix is not supported.
  • Clocks on the connector and the domain controllers must be synchronized.
  • The Allow Change Password option is available with connector version 2016.11.1 and later.
Reply
0 Kudos