We have an issue with our Juniper. The regular 'Your password expires in blah blah blah' message is not being pushed down to the user on login to the VPN. Our AD is setup correctly according to the KBA so I don't think that is it. I've read about custom sign-in pages and that's a great help. I plan on making up some custom pages in the future, but frankly I don't have time to mess with it right now. When you log into our VPN, we redirect you to our external company page and don't use the standard login. I altered one of my test realms to point to the standard login page as a test. Both pages don't seem to prompt me for my password reset or to notify me.
So... Simple question. Is there an easy way to get this to work without learning all about custom pages or am I going to have to make time to learn this stuff?
WHat OS version/Model are you running?
On my SA-4000 (6.3R6) its under User Realms>Realm Name>Authentication Policy>Password. You can set the configuration there.
Mine is set at 14 days and it works.
My bad. I forgot to include what I'm working with.
Current version: 6.4R1 (build 14063)
That is where I can set it on mine too. It's set. And as far as I can tell everything is working correctly. Enabled and the AD/NT setup looks correct and the AD side is setup correctly with LDAPS. It is still possible the AD side is incorrect. I have limited access to our AD so I'm taking someone else's word that it's all correct. It's a fight with them so I'd like to rule out everything else first.
When you are on the LAN does the normal AD password notifications work when you login to Windows?
Also, is your account used for LDAP a domain admin? You might want to give it a shot if possible. You never know.
EDIT: I noticed you are using AD/NT auth server. Try setting up an auth server that is just LDAP Server.
Do you have the AD Password Management configured?
User Realms -> <Your Realm> -> Authentication Policy -> Password -> Check the box for Enable Password Management. You'll also want to note that it mentions requiring that your Auth Server config for this AD environment be given an account with admin rights to be able to reset people's passwords for them.
I've been using it like this for years, and all logon issues are relayed through the VPN. Expired Password please reset, Account is disabled, Account is Expired, etc.
All that is checked so it should be working. One of the problems I have (internally) is that I don't have full access to the AD environment as it's controlled through another company. I also was not present when the system was put into place so it's very possible none of the AD side was setup correctly. My boss's answer to a simple question like 'Who should I call to verify all this on the AD side?' is 'Sorry. Can't help.' So I guess next week when everyone is back in the offices, I'll end up just calling the monkeys on the helpdesk. I'm sure a level 1 tech has all the power to confirm a certificate on the AD....
Your account probably doesn't have admin rights on the domain then... you'll most likely need to get them to create you a service account for the Juniper that's got domain admin rights in order for this to work.
I don't think its needs Domain Admin rights, just to be a part of the AD's Builtin/ Account Operators group.
Also, try like I said with an LDAP auth server instance instead of the Active Directory/NT auth server.