7 Replies Latest reply on Feb 11, 2019 9:19 PM by BenFB

    AD Account Expired

    Procpio Lurker

      Author : jacquiew

      URL : http:////docs.vmware.com/en/VMware-Horizon-Client-for-Windows/4.9/horizon-client-windows-user/GUID-427B0E44-2089-426D-84A1-AD0181D997D1.html

      Topic Name : VMware Horizon Client for Windows User Guide

      Publication Name : VMware Horizon Client for Windows User Guide

      Product/Version : VMware Horizon Client for Windows/4.9

      Question :

      Hi,  We have users which their AD accounts have expired already in active directory.  This is not about password expiry.   They are trying to login on Horizon Client but the error is only Logon failure: Unknown user name and password.   It should be something like Account has expired.  Is this a limitation of Horizon Client or Horizon 7?

        • 1. Re: AD Account Expired
          BenFB Expert

          Horizon supports changing a expired password as long as the account is not locked out.

           

          Do you by chance use a MFA solution through RADIUS? We've seen where that will result in what you are seeing and it's a known limitation.

          • 2. Re: AD Account Expired
            Procpio Lurker

            We don't use MFA. Just AD authentication. Even without MFA is it still a known limitation?

            • 3. Re: AD Account Expired
              BenFB Expert

              Are you getting an error message? My password expired last week and I successfully changed it by connecting to Horizon using my old password and then I was prompted to change it. You should see something similar to this image that I found online.

              image014.gif

              • 4. Re: AD Account Expired
                Procpio Lurker

                We don't have issue for users which password has expired already. They can change their passwords similar to the image you shared.

                 

                Our problem is with AD users with expired accounts.

                 

                For an expired account when they try to login the error they receive is "Logon failure: Unknown user name and password". The error should be something like i.e. "Login failure: Account has expired"

                • 5. Re: AD Account Expired
                  BenFB Expert

                  My understanding is that there is not a way for Horizon to know that. Active Directory treats a expired password the same way as a locked account.

                  • 6. Re: AD Account Expired
                    Procpio Lurker

                    Yes its correct. VMware support checked internally and confirmed that the user expiration status for an account will be available in backend logs,
                    however, in user interface though the account is expired we will be getting the invalid username or password error during login attempt.

                     

                    It will be raised as a feature request with their product team which will be considered for upcoming release.

                    • 7. Re: AD Account Expired
                      BenFB Expert

                      According to our internal AD team this is a Microsoft limitation. When a password is expired it essentially sets the same bit as if the account was locked out so it's one in the same.