Today I upgraded our PA-500 from 6.1.4 to 7.0.0.
After the reboot, when I log in with the GlobalProtect client, I receive the following message in red in the warnings/errors section:
"Password expires in 0 days."
We authenticate our VPN users to an AD domain using LDAP. The AD accounts are set to "password never expires".
I looked at the LDAP authentication profile, and the password expiry warning field requires a value of 1-255, and defaults to 7 days, even if I leave the field blank. Is there any way to turn this check off? My users' passwords don't have expire dates, and I'd rather they not receive this erroneous error message. It does not prevent them from logging in, and the VPN otherwise works normally.
Here's the current status of the ticket I have open for this password expiry error:
"Would like to update you that the engineering team has identified the root cause for this issue and they are working on the fix. Will keep you posted with regular updates."
In the meantime, I have downgraded from 7.0.0 back to 6.1.4. Not just for this bug, there was also an issue with SSL sessions not being released correctly after the VPN client terminated, so eventually the firewall quit allowing new sessions and the portal page would not respond.
Unfortunately I have the same issue. I called TAC Support to ask about and the information about this issue is that this bug is known and unfortunately the fix will not make it to 7.0.4.
With 7.0.5 this bug will be fixed.
Excuse me if this has already been covered/solved. I upgraded to 7.0.4 last night and I am seeing the "Password expires in 0 days." message when connecting with GlobalProtect. At our site, I have also seen erroneous dates for password expiration on my Cisco AnyConnect clients and our support group has seen anomolies in Active Roles. The issue seems to have started with a change in our AD password policies. Here is what I could gather:
1. We changed our Active Directory 2008 r2 to use granular password policies. That seemed to set off this problem.
2. The admin said there is no AD object for granular settings that Palo Alto could use to calculate the correct password expiration value.
I'm trying to see if he can change the general AD settings to represent the expiration without using the granular settings.
From the 7.0.5 Release Notes :
Fixed an issue where some Active Directory (AD) servers were incorrectly displaying a Password expires in x days message even after selecting Password never expires on the AD server. With this fix, the AD server ignores the maximum password age (maxPwdAge) value when the Password never expires option is selected.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!