Forum Discussion

Cory_Blankenshi's avatar
Cory_Blankenshi
Icon for Altostratus rankAltostratus
Sep 16, 2019

BIG-IP v14: Expired Password Prompt for Remote Auth Users

We recently upgraded to BIG-IP v13 to v14. We used remote authentication while on the previous version and users had no issue logging in with their AD credentials. After the upgrade, some of these users are being prompted to by the BIG-IP to update their password because it is expired, but this is only on the BIG-IP.

 

When a password is actually expired, users will be prompted to change it when they try to log in to the employee portal. The same users prompted by the BIG-IP have no problem logging in to the employee portal. We've never seen this happen to users before and I have no idea what setting on the BIG-IP would enable/disable this check.

 

Does anyone know what controls this? Can it be disabled?

 

Thanks!

authentication
BIG-IP
security

4 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 16, 2019

    Hi,

     

    The configuration that allow to change password is to follow this procedure:

    https://support.f5.com/csp/article/K15676

     

    Modification need to be done in "logon page" you can find procedure in KB above. and when you set this configuration:

    "If the user account password change interval time has expired, the user is still required to update their password. In this scenario, authentication relies on the last password set. The BIG-IP APM AAA configuration does not require Active Directory privileges beyond read-only access."

     

    So check in the logon page if you have configured "change pwd" functionnality on the impacted services.

     

    keep me in touch.

     

    regards,

    • Cory_Blankenshi's avatar
      Cory_Blankenshi
      Icon for Altostratus rankAltostratus
      Sep 16, 2019

      Hi Youssef,

       

      This issue only comes up when users are attempting to login to the BIG-IP GUI. Any thoughts?

       

      Thanks again!

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 16, 2019

    Hi,

     

    Ok sorry, maybe impacted user trigged "Password policy", you can set an Expiration Warning, you can specifies the number of days prior to password expiration that the system sends a warning message to a user.

     

    Can you check using this procedure:

    System -> Users -> Authentication

    Under password policy locate secure password enforcement setting and set it to meet your needs.

     

    But you can confirm that GUI auth is in local or trough an AD?

    User impacted is in local or they used AD, Because now you can fallback in local for authentication... If ad failled to find user.

     

    for more info:

    https://support.f5.com/csp/article/K15497

     

    regards

    • Cory_Blankenshi's avatar
      Cory_Blankenshi
      Icon for Altostratus rankAltostratus
      Sep 16, 2019

      Hi Youssef,

       

      The user that raised the issue doesn't have a local account, so I wouldn't think it would be subject to a password policy on the F5. On that note, I don't have a password policy option under the authentication tab. Also, it's probably worth mentioning that local accounts we have use our Active Directory credentials.

       

      Thanks!