Bug ID 435719: Misleading request to re-type new password

Last Modified: Jun 30, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Oct 29, 2013
Severity: 5-Cosmetic
Related AskF5 Article:
K15184

Symptoms

When AD Query is configured in an Access Policy, and the password expiration warning is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the value specified for Max Password Reset Attempts Allowed and all attempts fail because the original password is incorrect.

Impact

Users are unable to complete an update of their AD password.

Conditions

This issue occurs when all of the following conditions are met: - The BIG-IP APM access policy is configured to execute an AD query. - The session.logon.last.password session variable value, when hitting the AD query agent, does not contain the correct user AD password (either because it was incorrectly typed on the Logon Page or because it contains the password for another authentication method). - The user AD password is expired or the user authentication password expiration warning is enabled on the AD Query.

Workaround

You can work around the problem in one of these ways. 1. Close the tab or browser and open the logon page in a new tab or new browser window. 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate a new session. 3. Change the configuration to prevent looping on the change password, as follows: -- On the VPE, create a Macro and move between Start to the AD Query (included) in the Macro. -- On the AD Query inside the Macro, set the "Max Password Reset Attempts Allowed" to 1. -- Set the "Maximum Macro Loop Count" of the Macro to 3. -- Call the created Macro right after the Start in the VPE.

Fix Information

None

Behavior Change