Configuration Articles

Announcements
Customer Notice: we are currently experiencing login issues with Live. We are working to resolve this as quickly as possible. Thanks for your patience.

Password Expiry Warning on the GlobalProtect Client

by harshanatarajan on ‎07-16-2014 09:14 PM (18,771 Views)

Overview

When using LDAP as the authentication method, users can be prompted with the password expiry warning message when their password is due to expire.

Details

This can be achieved by using LDAP as an authentication method, as shown in the screenshot below:

  • Server Profile: Specify the configured LDAP profile
  • Login Attribute: Enter the LDAP directory attribute that uniquely identifies the user or group
  • Password Expiry Warning: Enter the number of days prior to password expiration to start displaying notification messages to users to alert them that their passwords are expiring in X number of days (this can be configured ranging from 1 day to 255 days).

By default, notification messages will be displayed seven days before password expiry. Users will not be able to access the VPN if their passwords expire.

Set the maximum password age under the default domain policy in the AD server as shown in the screenshot below:

Shown below is the warning message on the GlobalProtect client.

Note: As a best practice, consider configuring the agents to use a pre-logon connect method. This will allow users to connect to the domain to change their passwords even after the password has expired.

owner: hnatarajan

Comments
by admin@peri
on ‎08-21-2014 06:35 AM

Unfortunately the password expiry does not work in our setup. The GlobalProtect client shows N/A under "PasswdExprDays".


On the authentication profile we use "userPrincipalName" as login attribute. With "sAMAccountName" I did not manage to etablish a connection.  Is there a possibility to find out why the feature is not working for us?


Is there a way to get the expiry warning working with Kerberos?

by admin@peri
on ‎12-02-2014 02:45 AM

2014-12-02 05:11:42.471 -0500 debug: pan_get_passwd_expiry(pan_authd_passwd.c:897): Using /etc/openldap/pan_ldap_shared_:a:d_helpdesk_0 to get password info

2014-12-02 05:11:42.471 -0500 debug: pan_get_ldap_ip(pan_authd_passwd.c:122): Reading file /etc/openldap/pan_ldap_shared_:a:d_helpdesk_0

2014-12-02 05:11:42.471 -0500 debug: pan_authd_bind(pan_authd_passwd.c:246): binding with binddn cn=panad@int.test

2014-12-02 05:11:43.300 -0500 Error:  pan_authd_bind(pan_authd_passwd.c:273): bind failed (extracted from parsed bind result) (Invalid credentials) (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)

Finally I found the problem :smileyhappy:

The password of the panad-User included %, $ and § and one of this special characters caused the problem. After I changed the password everything is working.

by MHarlow
on ‎07-15-2015 07:35 PM

How do I turn this off? It forces me to 1 to 255 as a value, and a blank defaults to 7.

I need to turn this feature off as it is not compatible with our AD policies as we use FIM (Forefront Identity Manager) for fine grain password expiry management, and in our AD the Policy highlighted in the above screenshot is "0" and so everyone gets a warning that their password expires in 0 days. I cannot proceed with our deployment of the PA whilst this is occuring. And changing the AD/Policy parameter from 0 is not an option.

by dmcgowan
on ‎07-16-2015 06:07 AM

I'm in the same boat. I've recently updated our GlobalProtect version, and it has started prompting some users that their passwords expire in 0 days. I would really like to find a way to disable this message as well.

by EnricoDINELLI-MPI
on ‎07-30-2015 01:50 AM

The issue "Your password expires in 0 days" is presented after the PANOS upgrade to 7.0.1.

With previous PANOS 6.3.x users were not getting this message.

GP Client v.2.3.0.

I have checked LDAP Authentication Profile (MS.AD) and "Password Expiry Warning" is set to 7 days; but no change was made to this value recently.

Tks.

by dmcgowan
on ‎07-30-2015 12:25 PM

Just wanted to update this thread for those who are experiencing the same issue. I talked with PA support and they mentioned its a know bug that exists in 7.0.0 and 7.0.1. The fix should be in the 7.0.2 update when it is released. Not sure on ETA yet.

by pamac
on ‎08-27-2015 06:45 PM
This is fixed in 7.0.2. BugID is 81970.
by bbermingham
on ‎10-05-2015 01:54 PM

I'm on 7.0.2 and am still having this issue. From the wording of the bug, it appears that they only addressed the issue that pops up when passwords never expire. In my case, passwords expire and I am still having this issue (amongst many others with 7.0.2).

 

Looks like the ticket I have open was escalated but I haven't heard anything back yet.

by Elliot_Wilen
on ‎10-11-2015 01:21 PM
Same issue as bbermingham. PanOS 7.0.2; GlobalProtect client 2.3.2-7. I get a warning that password will expire in 0 days whenever I login and also when I log out. In the admin GUI, the LDAP auth profile is set to use 7 days as the warning threshold. I even tried setting it to 14 days, retesting, and then back to 7 days. Still get the warning in every case.
by Elliot_Wilen
on ‎10-11-2015 02:20 PM

Also, why does the GPO illustration on this article contain a maximum password age of 7 days? That would mean users have to change their passwords every week, no?

by JustinClay
on ‎11-02-2015 07:27 AM

Has anyone found a resolution to this? We're seeing this on a newly deployed PA-3020 running 7.0.3 on the PAN side and 2.3.2-7 on the GlobalProtect client side.

by bbermingham
on ‎11-03-2015 09:05 AM

I've been working with support on this issue but have been unable to implement their suggested changes yet. Here's their guidance:

 

"The LDAP profile currently used for GlobalProtect authentication is using port 3268 and LDAP search cannot receive the maxPwdAge value so is notifying that it is not found. If you configure a new LDAP profile with port 389 and use that for GP auth, you will not see this message."

 

I will try to post results after I make this change, but it likely will not be until an approved maintenance window next week.

 

-Bob.

by Elliot_Wilen
on ‎11-03-2015 09:39 AM
That's interesting. I currently use secure ldap over port 636. (Not clear to me if I could use port 389 with the TLS option set.) So there's at least a commonality but the explanation you've been given seems pretty dubious unless there is a bug in 7.x that's preventing use of nonstandard ports for LDAP.
by Jacopo_Vigano
on ‎11-25-2015 06:58 AM

Dear all,

i have the same issue with PANOS 7.0.3 and GP Client 2.3.3.

Do you have any news regarding this issue?

 

Thanks in advance.

Jacopo

by Donno
on ‎11-30-2015 11:30 AM

I have the same issue siwht PANOS 7.0.3  GP Client 2.3.2 and 2.3.3.

 

I am not able to get the password expiring notice to work.

 

Thanks,

by bbermingham
on ‎12-01-2015 10:16 AM

In my case, the LDAP profile I was using had been set to port 3268 but wasn't using SSL. GlobalProtect could not receive the MaxPwdAge value-- Adjusting the profile to non-ssl and port 389 fixed the issue. I'm guessing that enabling SSL and keeping port 3268 would have fixed the issue as well, but I didn't test that.

by satec.helpsec
on ‎01-18-2016 11:37 AM

Hi all!

Does anyone know if that fixes this problem? I need to have SSL settings enabled. 

by fowlerca
‎01-20-2016 05:44 PM - edited ‎01-27-2016 06:30 AM

Recently upgraded from 6.0.9 to 7.0.4.  Issue persists.  Creating a new Server Profile for LDAP using non-ssl, 389, did nothing for us.

 

Changed the LDAP type from other to Active Directory still using SSL connection and this resolved the issue.  We did try this originally but on the new LDAP profile we created, which didn't work for reasons unknown.

by Jacopo_Vigano
on ‎02-10-2016 02:01 PM

Dear All,

this issue sould be fixed with PANOS 7.0.5.

Check the release note for more information.

 

Jacopo.

by Elliot_Wilen
on ‎02-26-2016 12:50 PM

Upgrading to 7.0.5h2 fixed the issue for us. This is a worthy upgrade in any case due to Security Advisories PAN-SA-2016-0002 through PAN-SA-2016-0005.

by Rene
on ‎04-21-2016 04:37 AM

Is it also possible to get the same warning when the account is about to expire?

Some AD accounts have an expiry date (3rd parties) which is often due before the password expires so the user does not get any warning.

Register now
Ask Questions Get Answers Join the Live Community
Contributors