Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 7937 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web appliance, Active Directory and expired passwords

Robin_L

Hi,

The Sophos Web Appliance, when configured to integrate with Active Directory, authenticates users before allowing them to connect to the internet using Internet Explorer.

Due to our password policy settings where users are required to change their password often, our Help Desk receive a lot of calls from different users at different times of the day because they can't connect to the internet which is due to the password of the users having just expired.

Is it possible to continue having the web appliance integrated with Active Directory for reporting purposes but either configure the appliance not to authenticate a user every time that user wants to connect to the internet or is there a workaround?

For example,  could the appliance be configured to allow the user to connect to the internet for the entire day after first authenticating without needing to re-authenticate during the day? Could they in effect authenticate once and that authentication is valid for 24 hours or until the end of the current day? If this isn't possible, what is possible?

Lastly, could the web appliance return a message to the user saying their password has expired?

If the behaviours above can't be changed, could I request these for future releases?

Thanks

Robin

:41015


This thread was automatically locked due to age.
Parents
  • 0

    “Lastly, could the web appliance return a message to the user saying their password has expired?”

    Robin, Windows should be doing this for you. Users should get a password expiration notification before it expires. This can be configured in group policy. This has nothing to do with the Web Appliance. This would be more of an IT admin issue to configure the notification and end user training teaching them to change their password before it expires or by having them log out of their computer every night.

    Also, if their password is expiring while they are logged into their computer, you have more issues happening than just Internet authentication. Their outlook may stop authentication, they might not be able to get to shares, etc.

    By doing the above, it should fix most of your issues that you are seeing with password expirations. If Sophos allowed users to stay authenticated an entire day, this could raise multiple security concerns, as the user is truly not authenticating the remainder of the day. Basically, there is no timeout period. If an account gets disabled, they would still have access to the Internet at that point until it timed out. It would be like allowing users to stay logged onto their computers all day long without them locking after a certain time.

    :41021
Reply
  • 0

    “Lastly, could the web appliance return a message to the user saying their password has expired?”

    Robin, Windows should be doing this for you. Users should get a password expiration notification before it expires. This can be configured in group policy. This has nothing to do with the Web Appliance. This would be more of an IT admin issue to configure the notification and end user training teaching them to change their password before it expires or by having them log out of their computer every night.

    Also, if their password is expiring while they are logged into their computer, you have more issues happening than just Internet authentication. Their outlook may stop authentication, they might not be able to get to shares, etc.

    By doing the above, it should fix most of your issues that you are seeing with password expirations. If Sophos allowed users to stay authenticated an entire day, this could raise multiple security concerns, as the user is truly not authenticating the remainder of the day. Basically, there is no timeout period. If an account gets disabled, they would still have access to the Internet at that point until it timed out. It would be like allowing users to stay logged onto their computers all day long without them locking after a certain time.

    :41021
Children
No Data
Unfiltered HTML