gschouten32 Absent Member.
Absent Member.
458 views

Expired AD-password: not redirected sspr-portal


We have the following case:
User accounts in MS-AD are expiring by a policy. When the password is
expired the AD-user is unable to logon. The user is not redirected to
the SSPR-portal (we configured NAM password expiration servlet) and a
‘password is expired’ message exists on the logon page.

MS-AD calculate if a password is expired (password expiration date) with
the attribute pwdlastset and password policy maximum password age.

Strange thing is when I set the option ‘user must change password at
next logon’ (attribute pwdlastset is then 0, so password is expired) the
AD-user is correctly redirected to the SSPR-portal.
Only when the password is expired by the policy the user is not
redirected to the SSPR-portal and a ‘password is expired’ message exists
on the logon page.

Can anyone explain this?


I read the documentation:
Redirection to Password Management Servlet Protected by Access Gateway
When Password Expires:
When an Active Directory user with an expired password logs in to an
authentication contract with a Password Expiration servlet configured,
the user is redirected to the password management URI. If the Password
Management portal is protected by Access Manager, the user is prompted
again for authentication and is not permitted to login as the user
password has expired.

I configured the desired steps but then a user can logon with an expired
password but is not redirected to the SSPR-portal. So that’s not a
desired solution.


--
gschouten32
------------------------------------------------------------------------
gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=57263

0 Likes
1 Reply
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Expired AD-password: not redirected sspr-portal

On 1/27/2017 10:24 PM, gschouten32 wrote:
>
> We have the following case:
> User accounts in MS-AD are expiring by a policy. When the password is
> expired the AD-user is unable to logon. The user is not redirected to
> the SSPR-portal (we configured NAM password expiration servlet) and a
> �password is expired� message exists on the logon page.
>
> MS-AD calculate if a password is expired (password expiration date) with
> the attribute pwdlastset and password policy maximum password age.
>
> Strange thing is when I set the option �user must change password at
> next logon� (attribute pwdlastset is then 0, so password is expired) the
> AD-user is correctly redirected to the SSPR-portal.
> Only when the password is expired by the policy the user is not
> redirected to the SSPR-portal and a �password is expired� message exists
> on the logon page.
>
> Can anyone explain this?
>
>
> I read the documentation:
> Redirection to Password Management Servlet Protected by Access Gateway
> When Password Expires:
> When an Active Directory user with an expired password logs in to an
> authentication contract with a Password Expiration servlet configured,
> the user is redirected to the password management URI. If the Password
> Management portal is protected by Access Manager, the user is prompted
> again for authentication and is not permitted to login as the user
> password has expired.
>
> I configured the desired steps but then a user can logon with an expired
> password but is not redirected to the SSPR-portal. So that�s not a
> desired solution.
>
>


Can you check in the LDAP response from AD if you actually get a
notification back from AD that the password has expired? This might be
tricky to do if you use SSL.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.