Re: How does your company handle this issue?

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Fred Yarbrough (fcyarbrough_at_yahoo.com)
Date: 05/18/04 

Date: Tue, 18 May 2004 16:50:12 -0500

Here is the resolution....

*** Problem Description ***

Remote users use Cisco VPN to access domain.

remote users logon to computers with cached logon

makes VPN connection with Cisco VPN client.

Radius server supports triggering of password changes that are mandated on
the

domain.

Cisco VPN client prompts users to change password for the domain. password
on the

domain gets update, but not on the local cached creds.

*** Resolution *** Dec 10 2003 2:14PM

Workaround to this issue

Cisco VPN remote users get prompted for password change via Cisco Gina.

Cisco Gina does not properly update the cached creds on the local computer.

Workaround for the customer is to change the password at the prompt, lock
the

workstation and then unlock with the new password.

This triggers the Microsoft Gina which contacts the dc and creates a secure
channel

that allows the Gina to properly update the local creds on the local
computer.

Customer should contact Cisco to correct Cisco's Gina behavior. The Cisco
Gina

should be able to trigger the proper api to force the computer to contact
the dc

and update local cached creds, without using the workaround workstation
lock.

Fred

"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:uYWr2zNPEHA.1348@TK2MSFTNGP12.phx.gbl...
> Christoffer,
> Thanks for the reply. Our users normally just login to the laptops
> using the domain cached credentials. They then establish a VPN connection
> into our Cisco VPN concentrator. If their password has expired, the VPN
> client prompts them to change their password. They can successfully
change
> the password but the laptop's password cache is not being updated. This
> same thing happens with our dialup system. I am going to call Microsoft
on
> this issue. I will post the results back here.
>
> Thanks,
> Fred
>
> "Chriss3" <noSpamHere@chrisse.se> wrote in message
> news:OX4ZZZFPEHA.2976@TK2MSFTNGP10.phx.gbl...
> > Hello Fred,
> > Dose the users logon to the computer used cached domain credentials or
> they
> > connect VPN during the logon. I think it will change the cached domain
> > credentials as well if you do it that way.
> >
> > --
> > Regards
> > Christoffer Andersson
> >
> > No email replies please - reply in the newsgroup
> > ------------------------------------------------
> > http://www.chrisse.se - Active Directory Tips
> >
> > "Fred Yarbrough" <fcyarbrough@yahoo.com> skrev i meddelandet
> > news:eWJmmUFPEHA.3020@tk2msftngp13.phx.gbl...
> > >
> > > BACKGROUND
> > > We are migrating to a Windows 2003 AD domain with password changes
> > required
> > > every 90 days. In the past we did not require password changes and
our
> > > "road warriors" laptop's belonged to our domain. It used cached
> > credentials
> > > when they were not connected to our network. Things worked fine for
the
> > > most part.
> > >
> > > PROBLEM
> > > Now that we are requiring password changes, our remote users (Windows
> 2000
> > > Pro and XP Pro) log into their laptop using the cached domain
> credentials
> > > and then connect to our company via VPN and Dialup. On the connection
> > > attempt, they are forced to change their password for their AD domain
> > > account. They can successfully change their AD domain password but
this
> > > DOES NOT change their cached password that the system has. When they
> > > disconnect from our network, and try to login to their laptops using
the
> > > cached domain password and they must enter their old password. Our
> > > workaround has been for the user to connect to us and then do a CTRL
ATL
> > > DELETE and perform a change password from here. This resets both the
> > cached
> > > password and the domain password and works. We want to implement a
> policy
> > > that passwords cannot be change for 2 days after they are set to keep
> > people
> > > from rolling their passwords to the old one. This solution is not
> > > acceptable for us.
> > >
> > > We are considering making all of our laptops non-domain members.
Users
> > will
> > > simply login to the local machine. They will still have to login to
the
> > > domain when they attempt to connect but they can choose whether to
keep
> > > their local and domain accounts synchronized or not.
> > >
> > > Thanks,
> > > Fred
> > >
> > >
> > >
> >
> >
>
>