Excuse me if this has already been covered/solved. I upgraded to 7.0.4 last night and I am seeing the "Password expires in 0 days." message when connecting with GlobalProtect. At our site, I have also seen erroneous dates for password expiration on my Cisco AnyConnect clients and our support group has seen anomolies in Active Roles. The issue seems to have started with a change in our AD password policies. Here is what I could gather:
1. We changed our Active Directory 2008 r2 to use granular password policies. That seemed to set off this problem.
2. The admin said there is no AD object for granular settings that Palo Alto could use to calculate the correct password expiration value.
I'm trying to see if he can change the general AD settings to represent the expiration without using the granular settings.
... View more