Forum Discussion

veredgf_96123's avatar
veredgf_96123
Icon for Nimbostratus rankNimbostratus
May 09, 2018

message re password expiration

I am trying to test this feature.

 

In an AD query I had the setting "Prompt user to change password before expiration" configured to 4 days. In the actual AD I set the policy to have the password changed when it is 2 days old.

 

Unfortunately we receive no message prompt. The user used to connect to the AD is a Domain Admin so should have all privileges. Also tried clearing the "Password Security Object Cache Lifetime". Nothing helped.

 

Any ideas as to what I am missing?

 

Thanks,

 

Vered

 

3 Replies

  • Hello,

     

    Are you sure that the user- has sufficient privilege?

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html

     

    (APM must fetch password policies, for example, if you select the Prompt user to change password before expiration option in an AD Query action.) If you do not provide Admin account information in this configuration, APM uses the user account to fetch information. This works if the user account has sufficient privilege...

     

    please check account privillege.. and try again.

     

    Regards

     

  • Hi, I double checked the user and he is a domain admin which gives him all the rights.

     

    Am including two images of policy and AAA config (sans revealing info).

     

  • Just in case someone's having the exact issue. I've just managed to fix mine. Drove me crazy.

    Make sure (in my case) that your GPO interactive logon setting 'Prompt user to change password before expiration' eg. 14 days matches your F5 Access Policy - AD Query - = 2 weeks - 14. If you make the change here then you need to go to F5 - Authentication - Active Directory - select your AD Server - Password security object cache lifetime days - clear cache. Or you may have issues with the password expiry still.