Forum Discussion

PSFletchTheTek's avatar
Feb 21, 2023

APM AD Password Change on expired and "change at next logon" - need ideas

Hi All, So i am using APM as our SSO for a project, it's brilliant and it fixes many problems! For one password changes, using the AD integration i can get the f5 to enforce a password change at the expiry date or days before and also run the same process if the "change password at next logon" tick box has been ticked which is also super handy. Now i believe this process is held inside the "ad auth" module but i could be wrong and correct me if needed, and its all sort of coded inside the block in the policy editor. Now, i've been asked to add the password hints to that page which doesn't seem unreasonable and its also in the CIS Password Policy Guide so i can't really hide from it! But what i can't find is a way to show text when that password change process has been activated, i don't need to show it any other time. Any ideas on what i could do, or can you point me at something right under my noise? Thanks - Fletch

8 Replies

  • I've achieved something similar in a recent project. 

    I've added a "change my password" checkbox to logon page that, when triggered, forcefully sets the password expired option and loops back onto logon page. This way user is able to change his password, password hints were put in "password update" page only modifying page options in policy tree .. (see 'General customization' in this guide, and explode your access profile) 

    I can share config if it helps

    • Hi,

      Thanks for the reply, i've got the same sort of process working to trigger the process.
      I'll dig into that in a minute, but by pure chance a college hit the page today,.

      And when this is seen i want to be adding something like

      - Minimum 14 characters

      - At least 1 Upper Case

      -At least 1 Lower case

      - At least 1 special character 

      - the wind has to be travelling dirtect north and you are standing on one foot.

      but only when you are on this page, not at the one before it.
      Will the custom part cover that?

      • CA_Valli's avatar
        Icon for MVP rankMVP

        Sure, you can edit the text for "The domain password has expired.." and include another paragraph that contains your custom text.

  • Can you also point em at the "password update" page or its inc file in the policy tree?
    I can't find it!

    • CA_Valli's avatar
      Icon for MVP rankMVP

      I had to look back at it.. I have to  admit it's quite hidden. 

      Update "user triggered change" first, and "AD password change failure" as well, to retain the info if user inputs bad password. 

      I've highlighted them below. NOTE -> THEY CHANGE FOR EVERY LANGUAGE. 

      It supports HTML formatting


      <p style='font-size:1em'><font-family:'verdana'>Per soddisfare i requisiti minimi di sicurezza, la password deve:</p>   <p style='font-size:0.8em'>•    Deve avere una <b>lunghezza minima</b> di 8 caratteri;</p> <p style='font-size:0.8em'>•    Deve essere <b>diversa dalle precedenti password</b> e non contenere <b>parti del nome utente</b>;</p> <p style='font-size:0.8em'>•    Deve contenere <b>almeno 3 delle seguenti categorie</b> di caratteri: lettere maiuscole, lettere minuscole, numeri, caratteri speciali / punteggiatura..</p>