Advanced Password Management Settings
If your organization uses Microsoft Active Directory (AD) to manage users, you can use these password settings allow continuous remote access for your users.
Note - Mobile Access does not support Microsoft Active Directory 2000.
Password Expiration Warning
Administrators can configure SmartDashboard to tell users to change their passwords before they expire. This is an efficient way to ensure that users have continuous access to resources. See sk33404.
Managing Expired Passwords
Passwords expire in these cases:
- The password exceeds the maximum number of days set in the Active Directory Group Policy.
- The User must change password at next logon option in the Active Directory configuration is enabled.
When the password expires, a message tells the user that the login failed. The administrator can configure a setting in SmartDashboard to give users the option to enter a new password after the old one expired. Users whose passwords expired then receive a message: Your password has expired. Enter a new password. They must then enter and confirm a new password to enter the Mobile Access or VPN client portal.
Configuring Password Change After Expiration
You can configure password change after expiration on gateways of version R71 or higher. Make sure that the LDAP server is configured to work with LDAP over SSL.
To enable password change after expiration:
- In SmartDashboard, select Global Properties > User Directory (LDAP).
- Under User Directory (LDAP) Properties, select Enable Password change when a user's Active Directory password expires.
- In the LDAP Account Unit Properties window, make sure the assigned Profile is Microsoft_AD.
- Make sure that the Login DN for the LDAP server, as configured in SmartDashboard, has sufficient permissions to modify the passwords of Active Directory users.
- In the LDAP Server Properties window in the Encryption tab, select Use Encryption (SSL)
- If the LDAP schema of the Active Directory is not extended with Check Point's LDAP schema, use GuiDBedit, the Check Point Database Tool to make these changes:
- Select Managed Objects > LDAP > Microsoft_AD > Common
SupportOldSchema and change its value to
For more about LDAP and user management, see the R76 Security Management Administration Guide.