Expiring password warning

Similar Messages

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• SSH / Expired Passwords

  I've recently installed a batch of servers with Solaris 10 10/08 and have noticed that the way the Solaris sshd implementation deals with password change on login is different to previous versions of Solaris SSH and/or OpenSSH installed in out environment.
  When the user with expired password logs in, he is prompted for a new password. If this password does not meet the complexity standards set for user passwords, the user is then prompted for their original password again instead of being asked to add a valid new password. This has led to a lot of users locking out their accounts because they keep trying to put in the new password
  The session output looks like this
  ssh -l user serverPassword: <-Enter Existing Password Here
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new password that does not meet password standards
  sshd-kbdint: The password must contain at least 1 uppercase alpha character(s).
  Password: <- System requests exising password again
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new valid password
  Re-enter new Password: <-Re-enter new valid password
  sshd-kbdint: password successfully changed for user
  Any idea why this may be happening?
  Thanks.
  K

  Can you use ssh keys instead? This would allow using your own pass phrase associated with the key you create.
  ssh-keygen -t rsa
  Now copy the *$HOME/.ssh/id_rsa.pub* file to each site and append the *id_rsa.pub* file to the remote account's *.ssh/authorized_keys* file (repeat the copy and append 29 more times).
  Now you should be able to connect based on your ssh key and no longer need to enter the long convoluted password. Instead you just need to enter your own selected ssh key pass phrase.
  And you can use *ssh-add* after starting your Mac to add your pass phrase to the ssh-agent already running in the background. Once you do this, ssh will ask the ssh-agent before prompting you for a pass phrase it already knows.
  This should totally streamline your ssh and scp access to the 30 remote sites.

• Resetting an Expired Password

  Hello All
  I am not sure if this is the right forum so please let me know if not.
  I currently have an ASP page that authenticates users against a Sun ONE LDAP server. The problem we seem to have is that when a users password expires, we cannot bind anymore. The easiest way for us to sort this would be to get the "Password has expired" return code but I cannot work out how to do this in ASP.
  Or is the problem deeper than this and once a password has expired a user cannot reset it? Do we need to change something else to allow a user to bind with their old password to reset their password. Remembering we are trying to do this all with asp.net.
  Thanks
  D

  I also am ignorant of asp.net; however, Sun DS 6 has several features that can help solve your problem if you can figure out how to access them:
  1. If you configure the "expiration warning" feature in the password policy, once a entry's password is in the warning period, an unsolicited "expiration warning" control is returned with each bind. The control data is the seconds until expiration. Password policy configuration is documented in http://docs.sun.com/app/docs/doc/820-2491/fhkrj?a=view . You can search for "OID 2.16.840.1.113730.3.4.5" on google for info about the control. You should also become familiar with the unsolicited password expired control "OID 2.16.840.1.113730.3.4.4". These controls are also implemented in DS5.
  2. If you supply the bind (or most other) operation with the IETF draft password policy request control, Sun DS 6.1 and later return a (properly encoded) password policy response control containing password policy operational state. Search for "OID 1.3.6.1.4.1.42.2.27.8.5.1"
  3. Your application can request the operational state of an entry via the user status control in Sun DS 6.1 and later. Search for "OID 1.3.6.1.4.1.42.2.27.9.5.8"
  4. If you have implemented some form of expiration warning, then presumably the majority of your users will have changed passwords before expiration, and you can force the others to go through some self-service or help-desk password reset function (i.e., enable must-change-on-reset, then administratively change the user's password, forcing him/her to change it at next bind).
  5. If you want to allow users with an expired password to access the DS solely for the purpose of changing the password, see http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdht?a=view#resetting-expired-passwords . If you do some more investigation on Sun DS (6.2 and later) implementation of the password modify extended operation (and ldappasswd), you should find details on enabling the extension to allow a user to change an expired password.
  6. You might also take a look at http://docs.sun.com/app/docs/doc/820-2490/6ne3cisoj?a=view#pwdpol for an overview of the new password policy implementation in DS6, compared to the DS5 password policy, and the strategy to migrate from DS5 to DS6.

• Monitor multiple databases for expiring passwords?

  I have created a cutom report in Grid Control that sends a daily report to the DBAs each morning that reports on nonresponsive agents, failed backups, policy violations, etc. I would like to add a section for expired passwords but I'm unable to find that information in the repository. The closest I've come is an alert for "There have been x failed login attempts in the last 30 minutes." but I'd like something that would alert me before the password expires, ideally some configurable number of days before the expiration. Is that information available in the repository? I have considered a user-defined metric but we monitor around 150 databases that do not have common usernames or passwords so I think that would be difficult to maintain.

  "I have considered a user-defined metric but we monitor around 150 databases that do not have common usernames or passwords so I think that would be difficult to maintain."
  The default profile and all our end-user profiles have password expiration set to 90 days.
  What I have done for now is decrease the threshold of the "Failed Login Count" metric to 3 for the Warning threshold since that is the number of attempts a user gets before locking the account. That at least will alert the DBAs if a user has locked an account or an application or automated process is attempting to connect to an expired account.
  What would be ideal is if I could report on passwords that have not yet expired but are near the expiration time without having to connect to each database to check but it appears that information is not available in the oem respository.

• Windows Server 2012 R2 - RD Gateway and expired passwords

  We got tired of script kiddies trying to brute force our old RDP servers, so we thought RD Gateway was a good idea and implemented this on our newest RDS servers.
  That worked fine until the first password change. The support phone got hot for some days.
  I understand after investigating the issue that expired has been a problem in the 2008/2008R2 version of RD Gateway.
  Are expired/change on first logon still a problem in 2012 R2? I fint this strange after seeing all the old complains.
  Are there any solution to this problem (other than running Citrix wich manage password change with no problems)?
  Jens Tore Fremmegaard ::.::.:: ServerParkering AS

  NLA is disabled. This was never a problem when we used 2008 servers.
  On our old 2008 (and 2003 before that) terminal servers the users have always had the opportunity to both change expired passwords and "change password on first logon".
  After migrating to 2012 none of them work.
  We have a script that warns the users prior to password expiry date, but ther's always someone that waits to long. And then they have to call our support techs to get their passwords changed since password change not working on the rds servers.
  Off course they could change it through Exchange OWA, but try to tell that to the CEO that's used to only click their RDS shortcut.
  Jens Tore Fremmegaard ::.::.:: ServerParkering AS

• Which attribute shows if a user has an expired password?

  DSEE 6.3
  I created my own password policy, and applied it to a single user.
  I would like to know which attribute shows if a user has an expired password, and how do I query that attribute for the user. How would I query the time till expiration as well?
  I am basically looking for example queries to such information.
  thanks,

  My limited experience with this sort of thing is to run a query like the following:
  ldapsearch -1TL -h `hostname` -D 'cn=Directory Manager' -b "dc=<your dc>,dc=com" uid=<uid your choice> pwdAccountLockedTime pwdFailureTime pwdLastAuthTim
  e pwdChangedTime passwordRetryCount nscpentrywsi
  This dumps some helpful stuff. I've noticed ... in our ldap instance that a locked account has the following output:
  pwdAccountLockedTime: 000001010000Z
  I don't know why it shows up that way ... but it's something I can key on and search for to find locked accounts. Not necessarily an indication that a password has expired, of course, but sort of interesting to me. An account can be locked for other reasons obviously.
  I think pwdChangedTime might be what you want assuming you know what the password expiration time is set to ...

• Changing the password warning message

  The password component of our credit card statement comprises of upper case alphabets only. However, if i enter an incorrect password, it gives us a warning message that "Please make sure your caps lock is not on by mistake". This is an incorrect message for us since the password works only with the upper case in our scenario. Please help in changing this warning message while trying to open the PDF. Am also attaching the screen shot.

  This is just a general 'incorrect password' warning, with a suggestion for a very common mistake.  I don't think the checking mechanism actually checks for upper/lower case characters.

• Cisco ISE - User with expired password is forced to logoff before they can change password.

  I came across a situation today where a user was logged into a laptop with an expired password and could not change it by simply locking the computer and logging in with the correct credentials. (They had previously changed it on their main computer) The port restricted any communication since the user was failing authentication.
  So, the I had the user logout and immediately the computer authenticated, and the user was able to login with the correct credentials.   I dont want my users to have to logout completely in this situation.  Below is the port config and the ISE error messages.
   switchport access vlan 423
   switchport mode access
   switchport block unicast
   switchport voice vlan 425
   ip arp inspection limit rate 10
   ip access-group ACL-LOW-IMPACT-MODE in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity server
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout tx-period 3600
   spanning-tree portfast
   spanning-tree bpduguard enable
   ip dhcp snooping limit rate 100

  Completely forgot about odac version. I have ODT with ODAC 102.02 installed.
  I want to download new drivers from here:
  Oracle10g Release 2 ODAC and Oracle Developer Tools for Visual Studio .NET
  http://download.oracle.com/otn/other/ole-oo4o/ODTwithODAC1020221.exe
  And old drivers from here (just for testing)
  Oracle Developer Tools for Visual Studio .NET 10.1.0.4.0
  http://download.oracle.com/otn/other/ODT10104.exe
  Does anybody know something about these releases? Do they have the same behavior?
  Thanks.

• 802.1X cannot change expired password at login

  Hi all,
  I'm trying to roll out 802.1X authentication for wifi access at my company, however there's one major problem I can't for the life of me figure out. I'm not able to get the Macs to prompt for a password change when the password has expired at login.
  On Windows when you log in it will prompt you to change your password when it's expired. However on OSX when you're on the workstation login screen, you can see the wireless icon briefly connect, then it will think for a bit and the user cannot log in at all.
  OSX can definitely can change expired passwords via 802.1X, as if I log into a local account and connect to the wifi with the user whose password has expired, it will prompt to change it, and changes it successfully.
  I'm using NPS for RADIUS authentication against AD, and using Profile Manager in OSX Server to create the 802.1X profile.
  Does anyone have any experience with OSX and using WPA Enterprise/802.1X Profiles?
  Thanks!

  Hi,
  Can you post a screenshot for this situation?
  Sometimes, the third party credential provider would lead to some issue like this, I suggest you check the
   current credential provider via the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\x\LastLoggedOnProvider
  You should compare the result with the values in the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\credential providers
  If the current value is third party credential provider, try to disable it:
  To disable the provider add a REG_DWORD value "Disabled"=1 to that provider’s CLSID subkey.
  The provider will be disabled on the next session creation (sessions are created when you log off, switch users, or reboot.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• What is the role of the Email Def field in 'Password Warning Task'?

  I created a custom Email Def in DC and provided its name in 'Email Definition Name' field under Parameters. But when I ran the job, that email def was not picked for sending email. Instead a notification template 'Password Warning Notification' was used.
  Not understanding the role of the 'Email Definition Name' field.
  Thanks

  The Notification framework has taken over the OOTB Email functionality and Email Definition from The Design Console is not used OOTB...
  However, it is still provided for the sake of back-ward compatibility..
  Also, you can still use the Email Definition from DC in your custom java code to send Emails... We still do it in some projects...
  To leasrn more about Notification services follow this link:-
  If it is OIM 11G R2
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/notpart.htm#sthref1373
  And if it is OIM 11G R1:-
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/notification.htm#OMADM4443

• Changing expired password on a cbckend database from a frontend database

  I have a split database with an Oracle backend (BE) and MS Access frontend (FE). My question is how to reset an expired password on the BE from the FE.
  If I log on to the backend via sqlplus an error ORA-28001 (Password expired) occurs and the system immediately prompts for a new password before completing the login process.
  If I log on from the frontend I get the same ORA error from the BE, but as far as I can tell, I can't reset the password from the FE.
  I can capture the error fine at the FE and I am thinking that I could use this to open a dialog to reset the password and change it over the ODBC connection. The problem is that I need to get a connection to the BE database before sending a command to change the password from the FE, but since login cannot be completed from the FE, because of the expired password, I can't get an ALTER USER statement to execute on the BE to reset the password.
  Is there a way to change a pre-expired password on an Oracle backend database from a frontend database? I don't see this as an Oracle/Access problem but as a problem that exists for any split database.

  I have thought about this a little and I am thinking about keeping a table of password update information. I can use this to create a "soft" expired password, using an expiration date in the table for each account. If the password is expired by the database then we can just update it with sqlplus or one of the other options.
  As far as getting the organization to change it is waaaay to big and stupid to change their policy.

• Simple Interface expired password change prompt

  We have a population of users who access GW exclusively through WebAcc. Some of this population has jumped on the mobile device bandwagon and so we've directed them to the simple interface when accessing GW from a mobile device.
  Some of these mobile device users now exclusively use the simple interface on their tablet/phone to access GW and when their password is expired, are never presented with the password change dialogue.
  Ive verified when user with an expired password navigates directly to the simple interface url , https://gwserver/gw/webacc?User.interface=simple, either on a mobile device or desktop browser, IE, FF, Chrome, the user consumes a grace login and is taken directly to the simple interface mailbox.
  Resetting grace logins and navigating to the standard webacc interface the GW password change dialogue is presented as expected.
  GroupWise 8.0.1 webacc on netware. I think wed refrained from going to newer releases in fear of some nasty bugs in the subsequent versions, but Ive not kept current on issues with the latest release.
  I understand the next GW version with native mobile device templates is around the corner, but management may want to address this sooner.
  Is this failure to recognize password expiry in the simple interface a know behavior?
  Regards,
  Fdiaz

  On 8/8/2011 8:36 AM, vodobaas wrote:
  > We have a population of users who access GW exclusively through WebAcc.
  > Some of this population has jumped on the mobile device bandwagon and so
  > we've directed them to the simple interface when accessing GW from a
  > mobile device.
  > Some of these mobile device users now exclusively use the simple
  > interface on their tablet/phone to access GW and when their password is
  > expired, are never presented with the password change dialogue.
  >
  > Ive verified when user with an expired password navigates directly to
  > the simple interface url ,
  > https://gwserver/gw/webacc?User.interface=simple, either on a mobile
  > device or desktop browser, IE, FF, Chrome, the user consumes a grace
  > login and is taken directly to the simple interface mailbox.
  > Resetting grace logins and navigating to the standard webacc interface
  > the GW password change dialogue is presented as expected.
  > GroupWise 8.0.1 webacc on netware. I think wed refrained from going to
  > newer releases in fear of some nasty bugs in the subsequent versions,
  > but Ive not kept current on issues with the latest release.
  > I understand the next GW version with native mobile device templates is
  > around the corner, but management may want to address this sooner.
  >
  > Is this failure to recognize password expiry in the simple interface a
  > know behavior?
  >
  > Regards,
  > Fdiaz
  I'll ask.

• Changing expired password with OCIPasswordChange

  I know that ODP.NET has a option to open a connection with a new password when the old one has expired. I'm using System.Data.OracleClient from .Net instead of ODP because I'm using the Instant Client, which does not seem to work with ODP. Can somebody tell me how to call OCIPasswordChange?

  Hi,
  OCIPasswordChange is an OCI call. You'd have to write a complete OCI application in C to be able to use that, and OCI coding isnt for the faint of heart.
  I do have a complete OCI sample that does it though.. here you go.
  Cheers,
  Greg
  This sample demonstrates the use of OCIPasswordChange once the
  password has expired, which requires setting the session into
  the service context. Tested with oci 8.1.5, vc++ 6.0 sp3.
  first create the user with expired password:
  SQL> create user testuser identified by oldpass password expire;
  SQL> grant create session to testuser;
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <oci.h>
  static OCIEnv          *p_env;
  static OCIError          *p_err;
  static OCIServer *p_srv;
  static OCISession *p_ses;
  static OCISvcCtx     *p_svc;
  void main()
       int          rc;
       char     errbuf[100];
       int          errcode;
       // Step 1: Initialize OCI
       rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid *)0,
            (dvoid * (*)(dvoid *, size_t)) 0,
            (dvoid * (*)(dvoid *, dvoid *, size_t))0,
            (void (*)(dvoid *, dvoid *)) 0 );
       // Step 2: Initialize the OCI evironment
       rc = OCIEnvInit( (OCIEnv **) &p_env, OCI_DEFAULT, (size_t) 0, (dvoid **) 0 );
       // Step 3: Initialize the OCI handles
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_err, OCI_HTYPE_ERROR,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_svc, OCI_HTYPE_SVCCTX,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_srv, OCI_HTYPE_SERVER,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc((dvoid *) p_env, (dvoid **)&p_ses, (ub4) OCI_HTYPE_SESSION,
            (size_t) 0, (dvoid **) 0);
       // Step 4: Connect using a mutli-session connect
       rc = OCIServerAttach( p_srv, p_err,
            (text *)"local", 5, 0);
       // Create a server context
       rc = OCIAttrSet( (dvoid *) p_svc, OCI_HTYPE_SVCCTX,
            (dvoid *)p_srv, (ub4) 0,
            (ub4) OCI_ATTR_SERVER, (OCIError *) p_err);
       // Create a session context
       rc = OCIAttrSet((dvoid *) p_ses, (ub4) OCI_HTYPE_SESSION,
            (dvoid *) "testuser", (ub4) 8,
            (ub4) OCI_ATTR_USERNAME, p_err);
       rc = OCIAttrSet((dvoid *) p_ses, (ub4) OCI_HTYPE_SESSION,
            (dvoid *) "oldpass", (ub4) 7,
            (ub4) OCI_ATTR_PASSWORD, p_err);
       rc = OCIAttrSet((dvoid *) p_svc, (ub4) OCI_HTYPE_SVCCTX,
            (dvoid *) p_ses, (ub4) 0,
            (ub4) OCI_ATTR_SESSION, p_err);
       // Open the session on the server
       rc = OCISessionBegin ( p_svc, p_err, p_ses, OCI_CRED_RDBMS,
            (ub4) OCI_DEFAULT);
       // This is a generic error checking routine
       if (rc != 0)
            OCIErrorGet((dvoid *)p_err, (ub4) 1, (text *) NULL, &errcode,
                 (text*)errbuf, (ub4) sizeof(errbuf), OCI_HTYPE_ERROR);
            printf("Error - %.*s\n", 512, errbuf);
            // If the error is a 28001, change the password.
            if(errcode==28001)
                 // You need to set the Session into the service context
                 // before you can call OCIPasswordChange(), and you also need
                 // to allocate both the session and service context handles
                 // before hand. Then you can call OCIPasswordChange.
                 rc = OCIAttrSet((dvoid *)p_svc, OCI_HTYPE_SVCCTX,
                      (dvoid *)p_ses,0,OCI_ATTR_SESSION, p_err);
                 rc = OCIPasswordChange(p_svc, p_err, "testuser",8,
                      "oldpass",7, "newpass",8, OCI_DEFAULT);
                 if(rc != 0) printf("Password change failed.\n");
                 else printf("Password successfully changed.\n");
       // Step 10: Disconnect from the server and free the
       rc = OCIServerDetach( p_srv, p_err, OCI_DEFAULT );
       rc = OCIHandleFree((dvoid *) p_srv, OCI_HTYPE_SERVER);
       rc = OCIHandleFree((dvoid *) p_svc, OCI_HTYPE_SVCCTX);
       rc = OCIHandleFree((dvoid *) p_err, OCI_HTYPE_ERROR);
       printf("Disconnected.\n\n");
       return;
  }

• Change expired password using oracle jdbc thin driver

  Hello,
  I have a java program that uses the oracle jdbc thin driver (ojdbc6 - version 11.2.0.3) for database connection. My question is if I have any possibility to change an expired password (java.sql.SQLException: ORA-28001: the password has expired) using the thin driver - NOT OCI?

  No - the thin driver doesn't have any password management features.