Bug ID 1147621: AD query do not change password does not come into effect when RSA Auth agent used

Last Modified: Apr 28, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2

Opened: Sep 07, 2022

Severity: 3-Major

Symptoms

When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected. Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet. So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.

Impact

User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.

Conditions

RSA Auth with OTP along with AD query agent with the negotiate logon page.

Workaround

If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips