Cisco - AnyConnect Domain Password change

Using Cisco Any Connect with AD users you may face that you account password is expired and you are unable to connect. To override problem you need to configure Cisco ASA to authenticate, to DC, indeed with normal LDAP standards (over 389 TCP port) using LDAPS (636 TCP port).

Your AD server must be able to authenticate via LDAPS (normally is not configured)

Here it is an article that explain how to do that

About LDAPS you can give a look to below article to have a major idea:

P.S. 1 for LDAP(s) testing purposes you can use ldp.exe DC utility Open utility:

C:\> ldp.exe

From Connection, select Connect.

Enter name of target domain controller.

Enter 636 as port number (this is the LDAPS port).

Click OK to confirm the connection works.

You're all done!

P.S. 2 consider that Citrix Netscaler requires LDAPs to permit users to change password when it is expired (otherwise user is blocked)