Password Expiry Warning on the GlobalProtect Client

Printer Friendly Page

Overview

When using LDAP as the authentication method, users can be prompted with the password expiry warning message when their password is due to expire.

 

Details

This can be achieved by using LDAP as an authentication method, as shown in the screenshot below:

 

  • Server Profile: Specify the configured LDAP profile
  • Login Attribute: Enter the LDAP directory attribute that uniquely identifies the user or group
  • Password Expiry Warning: Enter the number of days prior to password expiration to start displaying notification messages to users to alert them that their passwords are expiring in X number of days (this can be configured ranging from 1 day to 255 days).

 

By default, notification messages will be displayed seven days before password expiry. Users will not be able to access the VPN if their passwords expire.

Set the maximum password age under the default domain policy in the AD server as shown in the screenshot below:

 

Shown below is the warning message on the GlobalProtect client.

password expiry.png

 

Note: As a best practice, consider configuring the agents to use a pre-logon connect method. This will allow users to connect to the domain to change their passwords even after the password has expired.

 

owner: hnatarajan

Comments

Unfortunately the password expiry does not work in our setup. The GlobalProtect client shows N/A under "PasswdExprDays".


On the authentication profile we use "userPrincipalName" as login attribute. With "sAMAccountName" I did not manage to etablish a connection.  Is there a possibility to find out why the feature is not working for us?


Is there a way to get the expiry warning working with Kerberos?

2014-12-02 05:11:42.471 -0500 debug: pan_get_passwd_expiry(pan_authd_passwd.c:897): Using /etc/openldap/pan_ldap_shared_:a:d_helpdesk_0 to get password info

2014-12-02 05:11:42.471 -0500 debug: pan_get_ldap_ip(pan_authd_passwd.c:122): Reading file /etc/openldap/pan_ldap_shared_:a:d_helpdesk_0

2014-12-02 05:11:42.471 -0500 debug: pan_authd_bind(pan_authd_passwd.c:246): binding with binddn cn=panad@int.test

2014-12-02 05:11:43.300 -0500 Error:  pan_authd_bind(pan_authd_passwd.c:273): bind failed (extracted from parsed bind result) (Invalid credentials) (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)

Finally I found the problem :smileyhappy:

The password of the panad-User included %, $ and § and one of this special characters caused the problem. After I changed the password everything is working.

How do I turn this off? It forces me to 1 to 255 as a value, and a blank defaults to 7.

I need to turn this feature off as it is not compatible with our AD policies as we use FIM (Forefront Identity Manager) for fine grain password expiry management, and in our AD the Policy highlighted in the above screenshot is "0" and so everyone gets a warning that their password expires in 0 days. I cannot proceed with our deployment of the PA whilst this is occuring. And changing the AD/Policy parameter from 0 is not an option.

I'm in the same boat. I've recently updated our GlobalProtect version, and it has started prompting some users that their passwords expire in 0 days. I would really like to find a way to disable this message as well.

The issue "Your password expires in 0 days" is presented after the PANOS upgrade to 7.0.1.

With previous PANOS 6.3.x users were not getting this message.

GP Client v.2.3.0.

I have checked LDAP Authentication Profile (MS.AD) and "Password Expiry Warning" is set to 7 days; but no change was made to this value recently.

Tks.

Just wanted to update this thread for those who are experiencing the same issue. I talked with PA support and they mentioned its a know bug that exists in 7.0.0 and 7.0.1. The fix should be in the 7.0.2 update when it is released. Not sure on ETA yet.

This is fixed in 7.0.2. BugID is 81970.

I'm on 7.0.2 and am still having this issue. From the wording of the bug, it appears that they only addressed the issue that pops up when passwords never expire. In my case, passwords expire and I am still having this issue (amongst many others with 7.0.2).

 

Looks like the ticket I have open was escalated but I haven't heard anything back yet.

Same issue as bbermingham. PanOS 7.0.2; GlobalProtect client 2.3.2-7. I get a warning that password will expire in 0 days whenever I login and also when I log out. In the admin GUI, the LDAP auth profile is set to use 7 days as the warning threshold. I even tried setting it to 14 days, retesting, and then back to 7 days. Still get the warning in every case.

Also, why does the GPO illustration on this article contain a maximum password age of 7 days? That would mean users have to change their passwords every week, no?

Has anyone found a resolution to this? We're seeing this on a newly deployed PA-3020 running 7.0.3 on the PAN side and 2.3.2-7 on the GlobalProtect client side.

I've been working with support on this issue but have been unable to implement their suggested changes yet. Here's their guidance:

 

"The LDAP profile currently used for GlobalProtect authentication is using port 3268 and LDAP search cannot receive the maxPwdAge value so is notifying that it is not found. If you configure a new LDAP profile with port 389 and use that for GP auth, you will not see this message."

 

I will try to post results after I make this change, but it likely will not be until an approved maintenance window next week.

 

-Bob.

That's interesting. I currently use secure ldap over port 636. (Not clear to me if I could use port 389 with the TLS option set.) So there's at least a commonality but the explanation you've been given seems pretty dubious unless there is a bug in 7.x that's preventing use of nonstandard ports for LDAP.

Dear all,

i have the same issue with PANOS 7.0.3 and GP Client 2.3.3.

Do you have any news regarding this issue?

 

Thanks in advance.

Jacopo

I have the same issue siwht PANOS 7.0.3  GP Client 2.3.2 and 2.3.3.

 

I am not able to get the password expiring notice to work.

 

Thanks,

In my case, the LDAP profile I was using had been set to port 3268 but wasn't using SSL. GlobalProtect could not receive the MaxPwdAge value-- Adjusting the profile to non-ssl and port 389 fixed the issue. I'm guessing that enabling SSL and keeping port 3268 would have fixed the issue as well, but I didn't test that.

Hi all!

Does anyone know if that fixes this problem? I need to have SSL settings enabled. 

Recently upgraded from 6.0.9 to 7.0.4.  Issue persists.  Creating a new Server Profile for LDAP using non-ssl, 389, did nothing for us.

 

Changed the LDAP type from other to Active Directory still using SSL connection and this resolved the issue.  We did try this originally but on the new LDAP profile we created, which didn't work for reasons unknown.

Dear All,

this issue sould be fixed with PANOS 7.0.5.

Check the release note for more information.

 

Jacopo.

Upgrading to 7.0.5h2 fixed the issue for us. This is a worthy upgrade in any case due to Security Advisories PAN-SA-2016-0002 through PAN-SA-2016-0005.

Is it also possible to get the same warning when the account is about to expire?

Some AD accounts have an expiry date (3rd parties) which is often due before the password expires so the user does not get any warning.

This issue seems to have resurfaced on PanOS 8.0.11. Anyone else having the same error again?

I too have a user with this same issue with upgrading from 8.0.7 to 8.0.11-h1. I'm looking into it and will update if I get any more information.

I have upgraded the firewall to 8.0.11-h1 assuming it could have fixed this even though it wasn't mentioned in release notes but it did not.  I still have multiple users getting a pop up everytime they connect and/or disconnect.

One of our customers has the same issue after upgrading to 8.0.11-h1.

I am not sure if we have the same issue but did see this show up after upgrading to 8.0.11, went away when we downgraded and continued to exist post 8.0.11-h1.  We have opened a case with support and they have created issue "GPC-6763" based on the logs and information we have provided.

 

EDIT:

From support: The fix for your issue PAN-100870 will appear in the upcoming PAN-OS version 8.0.12, tentatively scheduled for 2018-08-09.  To workaround this issue, you can disable cookie authentication.

Thanks for the info. It is appreciated. I'll let my team know. We'll look at upgrading to 8.0.12 down the road.