Sharepoint with APM and expired AD-passwords

During further investigation including several F5 documentation I could found the following:

 

Active Directory password management

 

Access Policy Manager supports password management for Active Directory authentication. This works in the following order:

 

- Access Policy Manager uses the clients user name and password to authenticate against the Active Directory server on behalf of the client.

 

- If the clients user password on the Active Directory server has expired, Access Policy Manager returns a new logon page back to the client, requesting that the client change its password.

 

- After the client submits the new password, Access Policy Manager attempts to change the password on the Active Directory server.

 

If this is successful, the clients authentication is validated.

 

If the password change fails, it is likely that the Active Directory server rejected it because the password did not meet the minimum requirements such as password length.

 

Note: By default, users are given only one attempt to reset their password. However, an administrator can configure the max logon attempt allowed of the authentication agent to a value larger than 1, which gives users multiple opportunities to reset their passwords.

 

 

I'll play with this a little bit in the next days (as our APM license is not yet available) and let you know the results.

 

 

Ciao Stefan :)

 

Thanks for reporting back Stefan! Let us know if you run into any issues.

Ran into the same issue but this time is a little bit different. Since you can only have 1 domain controller on an APM AAA AD Authentication profile, the workaround is to setup a VS and a pool of Domain Controllers, so we have the VS:0 and poolmembers:0 and under the APM policy we say Authenticate using AD Virtual Server we created. This is working great for Authentication but when a user needs to change it's password because of AD password credential expired, APM promts the user to change the password but it fails and the user is stuck on that loop where it enters the credentials and new password does not get changed.

 

So the situation is the same as above but we are using a VS to be able to authenticate to multiple AD servers by load balancing. Any ideas?

 

Hi all, Have you solved the problem of expired password ? I have the same configuration presented by Maynor, no way to change password expired, apm log says:

 

 

01490107:3: a24a7299: AD module: change password for 'userxxxx' failed in krb5_change_password(): Cannot contact any KDC for requested realm (-1765328228)

 

 

Thanks

 

 

Check your administrator password. In 10.2 for example, it became case sensitive : http://support.f5.com/kb/en-us/solutions/public/12000/500/sol12522.html?sr=18225457

Hi all, I've also got the same setup as Maynor. When pointing the APM straight to a Domain Controller, pw change works correctly. But when it's going through the VS it fails (I tried just having a single Domain Controller in the pool but that still fails). The admin password is correct. Do I need to join the F5s to the domain?