Options

"Failed to get the domain name"...again

STSGSTSG
in Firebox - VPN Mobile User

Hello,
we use a Firebox M270 in our company. Our users also have VPN access to dial into the company network from the home office. As in many companies, our users have to change their password every 3 months. They get a warning 1 week before and know that they should do it as soon as possible when they are in the office. But of course some users are too lazy and wait until the password has actually expired. Stupid, if they are then on the road, because then there are regular problems with the dial-in via VPN. They then see the error message "Failed to get domain name". Sometimes it is helpful to switch the WLAN connection to a public profile and then back to a private profile, but that doesn't always work. Is there any way to avoid such problems and allow users on business trips to login again ?

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @STSG

    Based off the error message you're seeing, I'm going to assume this is SSLVPN.

    The issue with this is how SSLVPN works in the back end when the user authenticates. If you're authenticating to a straight AD (Active Directory) or other LDAP server, the firewall does a simple bind as the user you are authenticating as. This provides a few security benefits (specifically that the user binding as themselves can only retrieve the groups that they are a member of.) In order to change a password, a different user with elevated permissions would need to be used. There were a few feature requests opened by customers, but they were closed out due to the infeasibility of changing the password via a simple BIND.

    If you happen to be using AuthPoint, you can change the password via the IDP portal. However, this would require the user to do this before their password expires.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/reset-password.html

    There are also other 3rd party services that manage/allow users to self service change their password via web portals and similar.

    If you're looking for a free solution, emailing the users that their password is going to expire (starting maybe a week out) might be the push you need to get them to change their password sooner.

    See this link for some ideas on that:
    https://www.thelazyadministrator.com/2018/03/28/email-users-when-their-active-directory-password-is-set-to-expire-soon/

    -James Carson
    WatchGuard Customer Support

Sign In to comment.