Some users get asked to changed pw on windows 10 login

[ghost]

I have an issue i cannot figure out.

We use LDAP as login and it's been working just fine since we set it up last time. Now some users, on some machine - not all, seem to be asked to changed password upon login. They are told the following The user's password must be changed before signing in

I have been spotty in reproducing the issue, but today user A had the issue, but on another machine the issue was not present. I checked the windows "local security policy" and both have a max age of 42 days, so this shouldnt be the issue. And i see nowhere in pGina we check the password age ?

Am I missing something obvious here ?

My own user logs in on the affected machine just fine. So do some other users.. so must be a password age somewhere that gets picked up. Not sure it's pGina's fault.

any ideas ?

[MutonUfoAI]

If a user is marked as "user must change password at next logon" he will be asked for a new password. Its also possible that it came from the LDAP side, if you run samba or an AD.

Its always a good idea to take a look into the pgina log %ProgramFiles%\pGina.fork\log\pGina.Service.ServiceHost_log.txt

[ghost]

017-10-24 08:28:57,784 [4316|24|DEBUG] LdapServer: Attempting bind as uid=est,ou=people,dc=domain,dc=com

2017-10-24 08:28:58,378 [4316|24|DEBUG] LdapServer: Successful bind to ldap.domain.com as uid=est,ou=people,dc=domain,dc=com

2017-10-24 08:28:58,378 [4316|24|DEBUG] LdapServer: LDAP DN uid=est,ou=people,dc=domain,dc=com successfully bound to server, return success

2017-10-24 08:28:58,378 [4316|24|INFO ] LdapServer: ntplist:ldap.domain.com 

2017-10-24 08:28:58,409 [4316|24|DEBUG] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: 0f52390b-c781-43ae-bd62-553c77fa4cf7 Succeeded

2017-10-24 08:28:58,409 [4316|24|INFO ] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Successfully authenticated est

2017-10-24 08:28:58,409 [4316|24|DEBUG] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Authorizing user est, 0 plugins available

2017-10-24 08:28:58,409 [4316|24|INFO ] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Successfully authorized est

2017-10-24 08:28:58,425 [4316|24|DEBUG] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Processing gateways for user est, 2 plugins available

2017-10-24 08:28:58,425 [4316|24|DEBUG] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7

2017-10-24 08:28:58,425 [4316|24|DEBUG] LdapPlugin: LDAP Plugin Gateway

2017-10-24 08:28:58,425 [4316|24|DEBUG] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Calling 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d

2017-10-24 08:28:58,440 [4316|24|DEBUG] LocalMachine: AuthenticatedUserGateway(65c1d4ac-0585-4bb6-b6e3-5ccc48303908) for user: est

2017-10-24 08:28:58,440 [4316|24|DEBUG] LocalAccount[est]: SyncToLocalUser()

2017-10-24 08:28:58,534 [4316|24|DEBUG] LocalAccount[est]: Checking for groups to remove.

2017-10-24 08:28:58,550 [4316|24|DEBUG] LocalAccount[est]: Checking for groups to add

2017-10-24 08:28:58,550 [4316|24|DEBUG] LocalAccount[est]: End SyncToLocalUser()

2017-10-24 08:28:58,565 [4316|24|INFO ] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: Successfully processed gateways for est

2017-10-24 08:28:58,565 [4316|24|DEBUG] PluginDriver:65c1d4ac-0585-4bb6-b6e3-5ccc48303908: End login chain, 1 stateful plugin(s).

2017-10-24 08:28:58,565 [4316|24|DEBUG] LdapPlugin: EndChain

2017-10-24 08:28:58,565 [4316|24|DEBUG] LdapServer: Closing LDAP connection to ldap.domain.com.

2017-10-24 08:28:58,565 [4316|24|ERROR] Abstractions: LogonUser error:The user's password must be changed before signing in

2017-10-24 08:28:58,565 [4316|24|INFO ] Abstractions: ProfileList key found S-1-5-21-671953231-1674554500-1571513035-1013

2017-10-24 08:28:58,581 [4316|24|INFO ] pGina.Service.Impl: ses add LocalProfilePath:[C:\Users\est]

2017-10-24 08:28:58,581 [4316|24|INFO ] pGina.Service.Impl: add user est to sessioninfo:3 GUID:65c1d4ac-0585-4bb6-b6e3-5ccc48303908 CREDUI:false

2017-10-24 08:28:58,581 [4316|24|INFO ] pGina.Service.Impl: ses username:est description:pGina created credui:False isLoggedIN:False

[ghost]

There is a fresh log from today, but what i find odd is that on another machine the same user works. So i kinda rule out the LDAP being the issue, and want to focus on the specific machine in question. Though i have no idea even from the log why it wants to change the password.

[MutonUfoAI]

Abstractions: LogonUser error:The user's password must be changed before signing in

is not set by pgina its coming from here https://github.com/MutonUfoAI/pgina/blob/d1a36b71c757652fc4a84281c4ffa003afbc8911/pGina/src/Abstractions/Windows/User.cs#L231 and because https://github.com/MutonUfoAI/pgina/blob/d1a36b71c757652fc4a84281c4ffa003afbc8911/pGina/src/Abstractions/Windows/User.cs#L233 failed, fall back to https://github.com/MutonUfoAI/pgina/blob/d1a36b71c757652fc4a84281c4ffa003afbc8911/pGina/src/Abstractions/Windows/User.cs#L242 which returns https://github.com/MutonUfoAI/pgina/blob/d1a36b71c757652fc4a84281c4ffa003afbc8911/pGina/src/Abstractions/Windows/User.cs#L62

ProfileList key found S-1-5-21-671953231-1674554500-1571513035-1013

I've reactivated my test samba ldap setup to verify the password expire function from the ldap plugin is working. It does work and return on the Windows logon mask: "The user's password must be changed before logging on the first time." The pgina log shows "LdapServer: Password expired". Pgina sets STATUS_PASSWORD_MUST_CHANGE but you are getting STATUS_PASSWORD_EXPIRED. Which means windows has marked the users pwd, not pgina.

[ghost]

That was exactly my thoughts... but i don't know WHERE ... you have any idea ?

I found the reg entry mentioned, and i see no mention of the username nor any setting regarding password there. But then again i dont know much about the windows registry :(

I mean there are no local users on the machine except an 'admin' user. At least not in the UI and i'm not a huge windows expert in this regard. Assuming it must be something in the registry then. But no idea where and no idea why it was even set :(

[ghost]

Hmm okay this is getting stranger

As a cowboy debug i tried to delete the reg entry mentioned in pgina.fork log ... and same error. Still referring to this entry despite the regedit saying this does not exist anywhere in the reg db.

Suggestions are more than welcome :)

[MutonUfoAI]

I had the same issue with a user today and remembered this problem. Once in a while a user is requested to change his pwd even that the logon process was successful. Its impossible to replicate this issue, it comes out of the blue.

Im not sure that i can find a way to work around this "bug".....

[ghost]

For me it's consistant and i yesterday saw it on a second machine. But each time the user has tried numerous tries and each time gets prompted for password change.

I have yet to find out what creates this issue.

And i must admit i have almost no clue left to debug the issue. The log mentiones some reg entries that even tried deleting. Same entry in the log though, despite the reg entry missing. Any ideas ?

[MutonUfoAI]

Enable "Scramble password after logout" in Local Machine plugin possibly that this could "fix" your problem

[ghost]

It seems like a good idea, but i can't fix it since no users can log into atm to get their passwords scrambled. What is the code used to scrambe them ? Maybe i could run it manually to allow them to login in the first case ?

[MutonUfoAI]

Change the pwd to whatever you want, pgina will set it anyway as soon as the user auth again. This is exactly what the pwd scramble would do.

[ghost]

I can confirm this so far works.

I used the "net user <random-password" command to set a new password for a user and then he could login. I have since enabled the scramble upon logout setting.

Will the local-machine plugin still work/run even when the auth is occuring with the ldap plugin ? Just to be sure the scrambe is actually happening.

[ghost]

This would of course not solve the issue of a user being away for an extended period of time. Then after e.g. a vacation logins could be faulty. So think i need to implement some sort of automatic scramble of all local users once a week or similar.

[MutonUfoAI]

Will the local-machine plugin still work/run even when the auth is occuring with the ldap plugin ? Just to be sure the scrambe is actually happening.

You need to activate notification for the LocalMachine plugin.

[malat]

Is the "Scramble password after logout" prevent laptop users to login when not connected to the network?

[MutonUfoAI]

@malat yes The local machine plugin would set a random password during logoff

[ghost]

Seems our solution was 3 parts.

1. Enable the scramble password (as precation as it doesnt solve the issue directly, since we cannot log into affected users)
2. Scramble passwords manually (or through script) using the "net user XXXXX " command
3. Set max password age policy to 0 or a high number like 999. This should be able to be seen if you run "net user XXXX" and depending on the group policy value the password expiration should be reflected there. However this does not on its own fix the issue if the password has been marked as due for a change already.

So step 2 fixes the immidiate issue, and step 3 fixes for future users and logins. Step 1 is for security and extra safeguarding of the issue as a user could potentially run into same issue if he/she didnt use a specific computer for 42+ (or whatever the expiration policy is) days. Vacations come to mind.

Hope this helps somebody else :)