In a Policy server 12.52 SP1 CR1 with Microsoft Active Directory 2008 User Directory with enhanced AD integration enabled and LDAP Name space, we expect the login with an expired account to be redirected to the password change page. Instead, when we use the password expired login, we get successfully authenticated and authorized. No redirection to the password change page is done. How can we fix this ?

 

It was found that there's a special handling for this Password Expired (data 532) case and from the code it seems that we expect the redirection to the password change page which is NOT happening. The caller of this function seems to be ignoring the nReason here and just does the user authentication based on the Boolean return value (true)

Policy Server 12.52 SP1 CR1User Directory Microsoft Active Directory 2008Enhance AD integration enabled.LDAP Name space used.Fine grained password policy used on AD with Users Account Password is Expired in AD, such that user attribute is set as follows :o msDs-User-Account-Control-Computed = n = (Password_Expired)o userAccountControl =0X200 = Normal_Account

registry key has been added :

 

ADPasswordPolicyPrioritySet under HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LDAPProvider

ADPasswordPolicyPrioritySet Type: DWord Value: 1 for enable, 0 for disable