Kalpesh Mistry1709156584 Posted October 16, 2019 Share Posted October 16, 2019 Netscaler - V11.0 71.22 nc We have a Netscaler accessing Storefront. Both are configured so that users are allowed to change their password. So i'm aware that the Netscaler will only prompt a user that their password has expired and will NOT warn the user when the password is about to expire. We are seeing that random users never receive the Password Expired message even when their AD account has the flag "Password Never Expires" disabled. These users are able to sign into the gateway with their expired password and launch the app, but are then disconnected when the published apps Windows OS recognises that their password has expired (security event logs) Anyone come across this? Could this be a client browser setting that's failing to display the message? Thanks Kal Link to comment Share on other sites More sharing options...
Julian Jakob Posted October 16, 2019 Share Posted October 16, 2019 Hi, check your LDAP Auth Policies on your NetScaler Gateway. It should be at a minimum of TLS 389, better use SSL 636 (LDAPS) and there is an Option "Allow Password changes" this inclused also if a Password is experied, than your users are allowed to set a new password when logging in via Gateway. What's your setting at StoreFront Receiver for Web? Using Password Warning from Active Directory, GPO or did you set an own warning interval? Best Regards Julian Link to comment Share on other sites More sharing options...
Kalpesh Mistry1709156584 Posted October 17, 2019 Author Share Posted October 17, 2019 Hi Julian The setup we have does use SSL 636 and the "Allow Password changes" is ticked on the LDAP policy I can see that the password expired messages does work when I test it myself with an account which has the "Change password at next login" ticked. The issue is that we have reports of some users seeing the message when their password has expired, but there are many other users that never see the message and the gateway seems to accept the expired password. Its only after they launch their apps and get disconnected that we see events on the Windows OS Security log showing the users account has become locked. This is what's making me think it maybe a client browser setting that maybe preventing the "password expired" message from being display? Regards Kal Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now