Running Policy Server when a User has his password expired in Active Directory User Store, the Policy Server still accept the User credentials. We have set the password policy to lock out the account when it reach 5 attempts, but the user can still login in.

Why do we have this problem and how can we solve it ?

The following fix brought in Policy Server 12.52SP1CR05 has introduced the problem :

00250192 DE101595 The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.

Defects fixed in 1252sp1cr05

A functional impact occurred with the default behavior for the password services not working as expected as the redirect URLs attributes are not sent back in response to agents for the scenarios like "PasswordExpired", "MaxloginFail" attempts etc.

The reason for this behavior is that, previously for both "PasswordExpired" and "PasswordMustChange" there was the same authreason is used and we set redirect based on that single authreason only.

This is applicable for the scenarios "MaxLoginAttemptsFailed" and also "Account Disabled", which were considered the same earlier and they should be treated differently.

This issue is fixed in Policy Server 12.52SP1CR06

00474687 DE237816

User is not prompted for password change though the password is expired and locked out user credentials are accepted.

Defects fixed in 1252sp1cr06