AD Password expiration gives access to every published app

Hi.

I have a ASPRN v8 server working with about 200 clients, lets say that 10 of them have a folder published, another 10 a diffrent one and so on... every folder has granular permissions and rules, those are ruled by active directory, by groups specifically. In the 2X server granular permissions are filtered by " user " using " WinNT mode" instead of LDAP due the constant changes on our Active Directory.

So a password expires, the client renews the password and he is able to log in, when this user log into the server all the published folders, applications and desktops becomes available to him... even if he has only 1 app/desktop/folder published.

Only possible fix is to restart the windows session/ 2x program / computer on the clientside, but this is a huge security hole... I need help to fix it as fast as possible


I have no idea of why is this happening... but is hitting us baddly, I hope u can help us.

Thanks in advance.

 

Re: AD Password expiration gives access to every published a

solrac this soundsw like a gpo misconfig and 2xclient policy misconfig to be honest with u...

 

Re: AD Password expiration gives access to every published a

Hi Ginex, thanks for the answer

But about that... ¿How?

2x is supposed to handle all the apps published to every user by himself, this is what the softare does.

So 2x config is pretty straight:

First Folder containing 6 apps has granted permission to 2 groups only



Each app has granted permission to 1 diffrent group and 1 of the same groups in the root folder.


This works perfectly well everytime untill a user has to change the AD password by himself... as soon as he changes the password he logs into 2x again and BANG, all the apps that are not published for him suddenly becomes available... as I said, this only happens this time. Next day, he logs again and the apps will be as they meant to be... 1 folder and 1 app published for that user.

Do u know what could be missconfig here? as I said, this problem wont show until a user needs to change his Active Directory Expired Password, quick fix is... make all passwords non expirable, but thats not an option here

 

Re: AD Password expiration gives access to every published a

mmh, i see your point, what is the exact version of the application server u got?

 

Re: AD Password expiration gives access to every published a

My version of 2x APP server & Load Balancer is 8.1 (build 941)

 

Re: AD Password expiration gives access to every published a

hey did u manage to resolve this at the end? or did u upgrade to the latest version of 2x?

 

Re: AD Password expiration gives access to every published a

Hey Ginex

Not at all... I wasnt able to fix it and I cant upgrade atm, the company let the insurance period to expire and now they are on the process to buy the software again.

The only fix so far is disable password expiration in active directory, if I change the password manually everything goes ok. This isnt helping me but I hope that the new version will solve this problem.

 

Re: AD Password expiration gives access to every published a

ldap makes/made any difference?

 

Re: AD Password expiration gives access to every published a

Theres a lot of changes in the AD schema in a weekly basis, users going from 1 container to other and such, this makes almost impossible to use LDAP because if I switch a user from 1 container to diffrent 1 this will lost every app published in 2x.

At some point as a solution makes sense to me but saddly we cant afford it... I will do some tests and re-post here the results just to know if that can solve the problem.