All Topics » Pulse Connect Secure



AD Password Change Fails with "password restrictions"


michaelahess
Contributor (0)
Sep 8, 2017 8:11pm
Windows 2016 AD environment. Setup Pulse with a new Auth server (not legacy mode), can authenticate and login fine. When I first tested under the troubleshooting tab, it let me change a password exactly once. I've tried with a new account, existing accounts, etc. I get the error on the web interface after login and in the Troubleshooter.

The User Access Log gives me this:

Info AUT30923 2017-09-08 14:06:43 - ive - [x.x.x.x] mypulseadminaccount(Admin Users)[.Administrators] - Active Directory authentication server 'Active Directory' : Received NTSTATUS code 'STATUS_WRONG_PASSWORD' .
Info AUT30923 2017-09-08 14:06:42 - ive - [x.x.x.x] mypulseadminaccount(Admin Users)[.Administrators] - Active Directory authentication server 'Active Directory' : Received NTSTATUS code 'STATUS_PASSWORD_RESTRICTION' .

And the Troubleshooter gives me this:

=== Test User Password Change ===
Password change for user testuser ... [FAILED]
Returned error code : STATUS_PASSWORD_RESTRICTION
When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.

I'm using my domain admin account for testing so I know it has the permissions needed for this.

Any ideas why this isn't working?



zanyterp
Pulse Secure Contributor (40)
Sep 10, 2017 8:38pm
Are you using a standard admin or delegated admin on the AD instance?
Is the user account or admin account locked out?
Have you disabled SMB1?
Have you enabled legacy LM support?
Is the password you are trying to change for the admin defined on the AD server instance or another user?
It sounds like the admin account may have had the password changed and not updated on the appliance.
    michaelahess
    Contributor (0)
    Sep 11, 2017 2:16pm
    Standard Admin
    Not locked out
    Did not disable SMB1 or enable legacy LT (shouldn't have to as I saw it work, right?)
    I've fully removed and re-added the generated computer and settings on the appliance, as well as simply trying to update the user/pass (restarting SAMBA)

    I don't get any failures in the DC's event logs either.

    Thank you!