Duo Auth for Windows & Expired AD Passwords

When an end-user’s Active Directory password expires, the Duo Auth client for Windows seems to do several odd things. Here’s the scenario:

  1. The user’s password has expired in AD.

  2. Upon login to their computer, the Duo Auth client for Windows prompts them to create a NEW “offline login” method.

  3. Clicking the “Enroll later” option returns the user to the login screen where a message of “Your password has expired and must be changed”.

  4. The user proceeds with the password change, but is given an “Access is denied” message.

  5. If an administrator forcibly resets their password AND the user reboots their computer, things begin to work correctly again.

Could the Duo Auth Client for Windows be made to handle expired AD passwords more gracefully? …or do we have something misconfigured?

Thank you for any help!


What’s the application?

Duo Authentication for Windows Logon and RDP

Are these users already enrolled?

Yes. They were enrolled with Duo and using their laptops which had the Windows Auth client installed. They’d forgotten to change their passwords which subsequently expired.

@nachowhat version of Duo for Windows do you clients have installed? A bug with password change and Offline Authentication was fixed in version 4.0.6. Consider updating to the latest version, and subscribe to Release Notes to learn about new application versions and other changes to Duo.