GlobalProtect Password Expiry Message Not Displaying on Client Device

GlobalProtect Password Expiry Message Not Displaying on Client Device

18122
Created On 07/13/20 21:52 PM - Last Modified 03/31/21 21:52 PM


Symptom


  • Users not receiving the GP Password Expiry message on the client devices
  • Example of expected Password Expiry message below:
PW_Expiry_Warning

Environment


  • PAN Firewall (any)
  • PAN-OS 8.1.13 
  • GP Client attempts connecting to GP Gateway
  • Global Catalog AD Server in the LDAP server profile to authenticate with Global Protect

NOTE:
Configure the LDAP Server profile with a Global Catalog AD server  port 3268 (or 3269 for SSL).
See the following link for instructions: How To Configure LDAP Server Profile

Cause


When configuring Client authentication on the Authentication Profile during the Global Protect configuration, the following attributes (by default) are not marked for replication to the Global Catalog:

  • maxPwdAge
  • pwdLastSet


Checking the authd.log file, we can see proof of this behavior below on the highlighted line:

 

> less mp-log authd.log

debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1203): User "test4" is ACCEPTED(msgid = 12, LDAPp=0x10c5400)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:86): userAccountControl = 512 (not never expire)
ldap attr value for 'maxPwdAge' or 'pwdLastSet' not found
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1235): Got user expire-in-days: -1 
(-1 means no expiration), passwd_exp in auth profile: 200


 

Resolution


From an Administrator's login on the Active Directory Schema MMC snap-in, check the attributes maxPwdAge and pwdLastSet for replication to the Global Catalog.

See below for steps:
  1. Register the Schema.DLL Snap-in on the Active Directory.
Admin Cmd Prompt
 
  1. Once successfully registered, open a new MMC Console.
MMC-Command
 
  1. Go to File >>Add/Remove Snap-in and add the Active Directory Schema to the Selected Snap-ins
MMC-Console
AD-Schema
 
  1. Once added, drill down into classes >> attributes and select maxPwdAge.
  2. Check the box for "Replicate this attribute to the Global Catalog" and click OK.
Max_Pwd_Age
 
  1. Repeat Step 4 and  Step 5 for the pwdLastSet attribute. 
    Pwd_Last_Set
 

  1. Now, when set appropriately, the GP client should see the password expiry date after logging into the gateway successfully.


 

Additional Information


Note:
A GP Client with the successful Password Expiry warning should have authd.log logs that look like below:
  
Authd.log details:
....
pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1203): User "test4" is ACCEPTED(msgid = 12, LDAPp=0x10c5400)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:86): userAccountControl =512 (not never expire)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:134): pwdlastset: 13236976975 seconds since January 1, 1601 (UTC)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:153): AD pwd expires in days 10 (max 255 warning limit)
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1235): Got user expire-in-days: 
10 (-1 means no expiration), passwd_exp in auth profile: 200

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UpiCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language