Global Protect Password Expiry Warning message showing up on the Client's machine sooner than expected
22464
Created On 02/25/20 00:32 AM - Last Modified 07/21/20 17:20 PM
Symptom
- GP client being prompted with the Password Expiry Warning Message sooner than expected
- LDAP is being used for authentication though the Active Directory Server.
- AD server has password policies configured both under the Default Domain Group Policy Object as well as the Fine Grained Password Policy with different values for "Maximum Password Age".
- authd.log reveals that the maxPwdAge attribute from AD server is coming from the Default domain GPO instead of the Fine Grained Password Policy
Environment
- PAN-OS 7.1 and above
Cause
- User is being prompted with the Password Expiry Warning too sooner because the value of the Maximum Password Age is calculated as below even though the user is a part of a Fine Grained Password Policy.
- PaloAlto Networks Firewall queries the AD server for the below in order to calculate expiry date which actually gets the Maximum Password Age from the domain's Default GPO.
Get-ADDefaultDomainPasswordPolicy - Querying the AD server for the below can result in getting the Maximum Password Age from a Fine Grained Policy to which the user in question belongs to. But, this is not implemented on firewall yet.
Get-ADUserResultantPasswordPolicy
- PaloAlto Networks Firewall queries the AD server for the below in order to calculate expiry date which actually gets the Maximum Password Age from the domain's Default GPO.
Resolution
- This is the expected behavior as per design.
Additional Information
- Note: As a workaround, "Password Expiry Warning" field under the respective Authentication Profile can be set to zero (0) so that the Password Expiry Warning is not prompted from the Global Protect side. This can be useful when there are other methods to alert the AD users as they approach their expiry dates.