Running Policy Server when a User has his password expired in Active Directory User Store, the Policy Server still accept the User credentials. We have set the password policy to lock out the account when it reach 5 attempts, but the user can still login in.
Why do we have this problem and how can we solve it ?
The following fix brought in Policy Server 12.52SP1CR05 has introduced the problem :
00250192 DE101595 The Authreason codes from Policy Server are not same as the AD response irrespective of the status of isADEnhanced.
A functional impact occurred with the default behavior for the password services not working as expected as the redirect URLs attributes are not sent back in response to agents for the scenarios like "PasswordExpired", "MaxloginFail" attempts etc.
The reason for this behavior is that, previously for both "PasswordExpired" and "PasswordMustChange" there was the same authreason is used and we set redirect based on that single authreason only.
This is applicable for the scenarios "MaxLoginAttemptsFailed" and also "Account Disabled", which were considered the same earlier and they should be treated differently.
Policy Server 12.52SP1CR05 on Windows 2008 R2;User Store on Active Directory;
This issue is fixed in Policy Server 12.52SP1CR06
User is not prompted for password change though the password is expired and locked out user credentials are accepted.