FR 1.1.7 + AD 2003 + LDAP

[A.L.M.Buxey at lboro.ac.uk]

Hi,
> Charlie B wrote:
>> Has no one else experienced this issue where reset password confuses 
>> WinXP?  I really don't want to use IAS.  Anyone ideas?
>
> Let me get this straight: You have machines in the domain, users doing 
> domain logins, and wired 802.1x using the domain credentials. When you 
> change a users password, the username/password cached on the client is no 
> longer valid, and they fall off the network.
>
> It's hard to see what else could happen; you've changed their password and 
> given the machine they're logged onto no way of knowing that. Why don't you 
> just let them change their password?
>
> Very likely many resources would continue to be accessible because the 
> credential cache includes a valid kerberos TGT but that isn't used for 
> 802.1x/MS-CHAP - it's the plain username/password.
>
> Whatever happens, the client machine would have to prompt the user for 
> their new username/password.
>
> Does this work with IAS? If so, it may be that there's an error code which 
> can be put in an MS-CHAP-Error attribute. However, very likely Samba would 
> have to generate the error code.
>
> In short, I don't think it's going to work any time soon.

we see the same issue with using machine credentials for wireless login.
the AD will update the password of the machine within the time frame
set in the AD - for us, 90 days..and then when the client attempts
to validate against AD, they have a small discussion to get things
back into sync.  

On the wired this works as it seems that the client will do this over an 
'open' link, however the partnering wont happen over an encrypted link(!) 
- go figure - perhaps to stop it happening over a PPTP VPN link when user 
is away from work? and therefore the next time the user tries to associate 
to wifi they cannot log in. the only fix is for them to plug into a wired socket...
magically wifi works again.

a fix?  none that i have struggled to come up with i'm afraid.

alan