Duo Auth for Windows & Expired AD Passwords

nacho3 · ‎01-27-2020

When an end-user’s Active Directory password expires, the Duo Auth client for Windows seems to do several odd things. Here’s the scenario:

The user’s password has expired in AD.
Upon login to their computer, the Duo Auth client for Windows prompts them to create a NEW “offline login” method.
Clicking the “Enroll later” option returns the user to the login screen where a message of “Your password has expired and must be changed”.
The user proceeds with the password change, but is given an “Access is denied” message.
If an administrator forcibly resets their password AND the user reboots their computer, things begin to work correctly again.

Could the Duo Auth Client for Windows be made to handle expired AD passwords more gracefully? …or do we have something misconfigured?

Thank you for any help!

Dan.

bjames · ‎01-28-2020

What’s the application?

nacho3 · ‎01-29-2020

Duo Authentication for Windows Logon and RDP

bjames · ‎02-11-2020

Are these users already enrolled?

nacho3 · ‎02-12-2020

Yes. They were enrolled with Duo and using their laptops which had the Windows Auth client installed. They’d forgotten to change their passwords which subsequently expired.

DuoKristina · ‎02-20-2020

@nachowhat version of Duo for Windows do you clients have installed? A bug with password change and Offline Authentication was fixed in version 4.0.6. Consider updating to the latest version, and subscribe to Release Notes to learn about new application versions and other changes to Duo.

Duo, not DUO.