Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Opened: Oct 29, 2013 Severity: 5-Cosmetic Related Article:
K15184
When AD Query is configured in an Access Policy, and the password expiration warning is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the value specified for Max Password Reset Attempts Allowed and all attempts fail because the original password is incorrect.
Users are unable to complete an update of their AD password.
This issue occurs when all of the following conditions are met: - The BIG-IP APM access policy is configured to execute an AD query. - The session.logon.last.password session variable value, when hitting the AD query agent, does not contain the correct user AD password (either because it was incorrectly typed on the Logon Page or because it contains the password for another authentication method). - The user AD password is expired or the user authentication password expiration warning is enabled on the AD Query.
You can work around the problem in one of these ways. 1. Close the tab or browser and open the logon page in a new tab or new browser window. 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate a new session. 3. Change the configuration to prevent looping on the change password, as follows: -- On the VPE, create a Macro and move between Start to the AD Query (included) in the Macro. -- On the AD Query inside the Macro, set the "Max Password Reset Attempts Allowed" to 1. -- Set the "Maximum Macro Loop Count" of the Macro to 3. -- Call the created Macro right after the Start in the VPE.
None