APM AD Password Change on expired and "change at next logon" - need ideas

PSFletchTheTek · ‎21-Feb-2023

Hi All, So i am using APM as our SSO for a project, it's brilliant and it fixes many problems! For one password changes, using the AD integration i can get the f5 to enforce a password change at the expiry date or days before and also run the same process if the "change password at next logon" tick box has been ticked which is also super handy. Now i believe this process is held inside the "ad auth" module but i could be wrong and correct me if needed, and its all sort of coded inside the block in the policy editor. Now, i've been asked to add the password hints to that page which doesn't seem unreasonable and its also in the CIS Password Policy Guide so i can't really hide from it! But what i can't find is a way to show text when that password change process has been activated, i don't need to show it any other time. Any ideas on what i could do, or can you point me at something right under my noise? Thanks - Fletch

PSFletchTheTek · ‎22-Feb-2023

@Leslie_Hubertus - I've put this into water cooler by mistake.
Can you move it to the technical forum please?

Leslie_Hubertus · ‎22-Feb-2023

Gotcha covered. 🙂

CA_Valli · ‎23-Feb-2023

I've achieved something similar in a recent project.

I've added a "change my password" checkbox to logon page that, when triggered, forcefully sets the password expired option and loops back onto logon page. This way user is able to change his password, password hints were put in "password update" page only modifying page options in policy tree .. (see 'General customization' in this guide, and explode your access profile)

I can share config if it helps

PSFletchTheTek · ‎23-Feb-2023

Hi,

Thanks for the reply, i've got the same sort of process working to trigger the process.
I'll dig into that in a minute, but by pure chance a college hit the page today,.

And when this is seen i want to be adding something like

- Minimum 14 characters

- At least 1 Upper Case

-At least 1 Lower case

- At least 1 special character

- the wind has to be travelling dirtect north and you are standing on one foot.

but only when you are on this page, not at the one before it.
Will the custom part cover that?

CA_Valli · ‎23-Feb-2023

Sure, you can edit the text for "The domain password has expired.." and include another paragraph that contains your custom text.

PSFletchTheTek · ‎23-Feb-2023

Can you also point em at the "password update" page or its inc file in the policy tree?
I can't find it!

CA_Valli · ‎23-Feb-2023

I had to look back at it.. I have to admit it's quite hidden.

Update "user triggered change" first, and "AD password change failure" as well, to retain the info if user inputs bad password.

I've highlighted them below. NOTE -> THEY CHANGE FOR EVERY LANGUAGE.

It supports HTML formatting

<p style='font-size:1em'><font-family:'verdana'>Per soddisfare i requisiti minimi di sicurezza, la password deve:</p>   <p style='font-size:0.8em'>•    Deve avere una <b>lunghezza minima</b> di 8 caratteri;</p> <p style='font-size:0.8em'>•    Deve essere <b>diversa dalle precedenti password</b> e non contenere <b>parti del nome utente</b>;</p> <p style='font-size:0.8em'>•    Deve contenere <b>almeno 3 delle seguenti categorie</b> di caratteri: lettere maiuscole, lettere minuscole, numeri, caratteri speciali / punteggiatura..</p>

Niels_van_Sluis · ‎25-Feb-2023

Check out the link below. Works for the standard APM theme. Should work for the modern APM theme also, with some little adjustments.

https://github.com/nvansluis/f5.password_change_validation

DevCentral

APM AD Password Change on expired and "change at next logon" - need ideas