locked
UAG Password change at logon behavior RRS feed

  • Question

  • I have setup a test UAG SP1 server with a single HTTPS trunk, and AD authentication. A Portal application and Sharepoint 2010 application are in teh trunk. I have enabled users to manage credentials and prompt for password change before 7 days of expiry in the trunk config. With this, I am able to authenticate to the trunk and application, no issues. I even was able to change the password for the user object from the trunk. However, when I set the user object to "Must change password at next logon", the user logs on to UAG and gets prompted for password change as expected, user goes through the password change process, the new password is set successfully. In the user object in AD the "must change password at next logon" attribute is cleared as well. However, the user logs on the next time through the UAG with his new password, he again gets a prompt that says you password has expired. This loop never ends, the user changes the password, it is accepted, again at the next logon same this happens. In AD the user objects does not have the "must change password" attribute set. Anyone seen this? Any suggestions?
    Sunday, October 31, 2010 8:53 PM

Answers

  • Ok, found the problem. I have a GPO to set the password policies domain wide. Among other settings such as password length, min password age etc, I have also defined Max password age = 0 days, which really means the password never expires. While this works as expected in Windows clients, UAG does not like the 0 days for max password age, and assumes the password has expired. After setting the password age to a higher number of days, I don't see the issue anymore. This is clearly a bug in UAG how it handles the AD authentication. Even though this may not be a problem in actual production environment, where you always set a password expiration, it would be nice to see some documentation if it is a known bug or a "hidden feature".
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:41 PM
    Monday, November 1, 2010 1:24 AM
  • [...] it would be nice to see some documentation if it is a known bug or a "hidden feature".


    Hi psraj,

    Thanks for your report! I do not think this is either an already known issue nor a hidden feature. Can you open a case with Microsoft Support in order to have this investigated?

    Thanks,


    -Ran
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:41 PM
    Monday, November 1, 2010 9:27 AM

All replies

  • I am just seeing another wierd behavior. With the accounts that are having the problem, I am able to get to the password chaneg screen with any password. I put in the user ID and a known wrong password, it takes me in to the next page where I get "your password has expired you must change your password screen" This is so insecure and unreliable.
    Sunday, October 31, 2010 9:21 PM
  • Ok, found the problem. I have a GPO to set the password policies domain wide. Among other settings such as password length, min password age etc, I have also defined Max password age = 0 days, which really means the password never expires. While this works as expected in Windows clients, UAG does not like the 0 days for max password age, and assumes the password has expired. After setting the password age to a higher number of days, I don't see the issue anymore. This is clearly a bug in UAG how it handles the AD authentication. Even though this may not be a problem in actual production environment, where you always set a password expiration, it would be nice to see some documentation if it is a known bug or a "hidden feature".
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:41 PM
    Monday, November 1, 2010 1:24 AM
  • [...] it would be nice to see some documentation if it is a known bug or a "hidden feature".


    Hi psraj,

    Thanks for your report! I do not think this is either an already known issue nor a hidden feature. Can you open a case with Microsoft Support in order to have this investigated?

    Thanks,


    -Ran
    • Marked as answer by Erez Benari Wednesday, November 24, 2010 7:41 PM
    Monday, November 1, 2010 9:27 AM
  • I'm seeing this issue also.  Max password age = 0, at login user is prompted to change password regardless of whether it has just been changed.  It's been over two years, please can we have a fix.



    • Edited by Calliper Sunday, January 19, 2014 7:17 PM
    Monday, January 14, 2013 4:55 PM