Forum Discussion

Stefan_Klotz's avatar
Icon for Cumulonimbus rankCumulonimbus
Jun 28, 2011

Sharepoint with APM and expired AD-passwords

In one of our projects we want to place Sharepoint servers behind a BIG-IP including the APM.


The APM should be used to verify a client certificate and should pass the credentials of the SSO towards an AD.


Now the question came up what happend if the password is expired (there is a global AD password policy, that passwords must be renewed after 90 days). The customers preferred option would be that the BIG-IP should handle this as well. As far as I know, there is an event within APM, which can be triggered when such a password expired message comes from the AD. But what doing next?


Did anyone already configured such a scenario? If not, are there any useful ideas or hints which we can use or search for?


Thank you!



Ciao Stefan :)


6 Replies

  • During further investigation including several F5 documentation I could found the following:


    Active Directory password management


    Access Policy Manager supports password management for Active Directory authentication. This works in the following order:


    - Access Policy Manager uses the clients user name and password to authenticate against the Active Directory server on behalf of the client.


    - If the clients user password on the Active Directory server has expired, Access Policy Manager returns a new logon page back to the client, requesting that the client change its password.


    - After the client submits the new password, Access Policy Manager attempts to change the password on the Active Directory server.


    If this is successful, the clients authentication is validated.


    If the password change fails, it is likely that the Active Directory server rejected it because the password did not meet the minimum requirements such as password length.


    Note: By default, users are given only one attempt to reset their password. However, an administrator can configure the max logon attempt allowed of the authentication agent to a value larger than 1, which gives users multiple opportunities to reset their passwords.



    I'll play with this a little bit in the next days (as our APM license is not yet available) and let you know the results.



    Ciao Stefan :)


  • Ran into the same issue but this time is a little bit different. Since you can only have 1 domain controller on an APM AAA AD Authentication profile, the workaround is to setup a VS and a pool of Domain Controllers, so we have the VS:0 and poolmembers:0 and under the APM policy we say Authenticate using AD Virtual Server we created. This is working great for Authentication but when a user needs to change it's password because of AD password credential expired, APM promts the user to change the password but it fails and the user is stuck on that loop where it enters the credentials and new password does not get changed.


    So the situation is the same as above but we are using a VS to be able to authenticate to multiple AD servers by load balancing. Any ideas?


  • Hi all, Have you solved the problem of expired password ? I have the same configuration presented by Maynor, no way to change password expired, apm log says:



    01490107:3: a24a7299: AD module: change password for 'userxxxx' failed in krb5_change_password(): Cannot contact any KDC for requested realm (-1765328228)






  • Ben_Cuthbert_90's avatar
    Historic F5 Account
    Check your administrator password. In 10.2 for example, it became case sensitive :
  • Hi all, I've also got the same setup as Maynor. When pointing the APM straight to a Domain Controller, pw change works correctly. But when it's going through the VS it fails (I tried just having a single Domain Controller in the pool but that still fails). The admin password is correct. Do I need to join the F5s to the domain?