Forum Discussion

AlgebraicMirror's avatar
AlgebraicMirror
Icon for Altostratus rankAltostratus
Jul 27, 2015

Can APM Active Directory expired password reset functionality be turned off?

Does anyone know how to disable the functionality of the APM login page where it prompts a user to change their password if their Active Directory password is expired? I'd like to simply reject users with expired passwords. (We have a different solution we'd like them to use for password management).

 

BIG-IP Access Policy Manager (APM)
deployment
microsoft
security

4 Replies

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jul 27, 2015

    Hi,

    What do you have "Prompt user to change password before expiration" set to in the VPE object for AD Query? 

    Prompt user to change password before expiration

Warns the user at a set time before the password expires; provides the option to change the password now. 
The default value is none.

Select none to disable the password expiration warning.

Select a preset time period: such as, 2 days, 3 weeks, 1 month to enable the password expiration warning 
and display it at the set time period before the password expires.

Select Custom to enable the password expiration warning and to enter the number of days before password
expiration that you want to display the warning.

    Is this set to "none"?

    Seth

  • Algebraic_Mirror's avatar
    Algebraic_Mirror
    Icon for Cirrostratus rankCirrostratus
    Jul 27, 2015

    Yes, I have it set to disabled. But that setting only controls whether the user gets prompted before their password expires. It doesn't affect what happens once their password is actually expired. In that case, APM always has them try to reset it.

     

    My other thought was setting the "Max Password Reset Attempts" to 0, but in the GUI zero isn't an option in the dropdown. Only the numbers 1-5 are options.

     

    So I still can't find any way to turn it off, unless it's possible to set it to 0 manually via TMSH or bigip.conf (but I was a little nervous about trying that since I don't know if that's a supported configuration).

     

  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Dec 09, 2015

    Have you found an answer to this? I have a related need-

     

    I have an apm policy where we are 'on-boarding' new users as well as handling existing users. new users have expired passwords. existing users we don't care and don't want them to authenticate. (the authenticate is simply to get their AD password changed for the new users).

     

    we have the user identifier (username).

     

    we want to have only those users that we are 'on-boarding' -- who have expired passwords to go thorugh the AD Auth where it will see the password is expired and ask them to reset it.

     

    How can we 'pre-check' that the user is expired or not? AD Query with a branch? or LDAP Query to AD with a branch?

     

    What would the test be to determine that this user has an expired password?

     

    Thanks in advance...

     

  • Algebraic_Mirror's avatar
    Algebraic_Mirror
    Icon for Cirrostratus rankCirrostratus
    Dec 10, 2015

    The answer I ended up getting is that it isn't supported. But, it still might be worth opening a support case to see if anything like that is in later versions of the product. And if not, your ticket could be associated with an RFE to have that be added, since there are some use cases like yours and mine where it would be very useful.