Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Global Protect Password Expiry Warning message showing up on th... - Knowledge Base - Palo Alto Networks

Global Protect Password Expiry Warning message showing up on the Client's machine sooner than expected

22464
Created On 02/25/20 00:32 AM - Last Modified 07/21/20 17:20 PM


Symptom


  • GP client being prompted with the Password Expiry Warning Message sooner than expected
  • LDAP is being used for authentication though the Active Directory Server.
  • AD server has password policies configured both under the Default Domain Group Policy Object as well as the Fine Grained Password Policy with different values for "Maximum Password Age". 
  • authd.log reveals that the maxPwdAge attribute from AD server is coming from the Default domain GPO instead of the Fine Grained Password Policy


Environment


  • PAN-OS 7.1 and above


Cause


  • User is being prompted with the Password Expiry Warning too sooner because the value of the Maximum Password Age is calculated as below even though the user is a part of a Fine Grained Password Policy.  
    • PaloAlto Networks Firewall queries the AD server for the below in order to calculate expiry date which actually gets the Maximum Password Age from the domain's Default GPO.
      Get-ADDefaultDomainPasswordPolicy
    • Querying the AD server for the below can result in getting the Maximum Password Age from a Fine Grained Policy to which the user in question belongs to. But, this is not implemented on firewall yet.
      Get-ADUserResultantPasswordPolicy


Resolution


  • This is the expected behavior as per design.


Additional Information


  • Note: As a workaround, "Password Expiry Warning" field under the respective Authentication Profile can be set to zero (0) so that the Password Expiry Warning is not prompted from the Global Protect side. This can be useful when there are other methods to alert the AD users as they approach their expiry dates. 
User-added image


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POneCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language