"User account expired" error on LDAP user authentication failure

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk143672
Technical Level
Product	Identity Awareness, Capsule Connect, Capsule VPN, Capsule Workspace, Endpoint Security Client, Endpoint Security VPN, Mobile Access / SSL VPN, SSL Network Extender, SecuRemote
Version	R80.10 (EOL), R80.20
OS	Gaia
Platform / Model	All
Date Created	31-Dec-2018
Last Modified	18-Nov-2020

Symptoms

LDAP user fails to authenticate for RA VPN, receiving the "User account expired" error, although the user account has not expired.
When connecting with the user, the error message might show "User is expired" although neither the user nor the certificate are about to expire.

The vpnd.elg file shows:

[vpnd PID ...]@Host[DATE TIME][CPLDAPSDK] ldap_get_values
[vpnd PID ...]@Host[DATE TIME][CPLDAPCL] Creating Fw Attribute expiration_date From Ldap Attribute accountExpires
[vpnd PID ...]@Host[DATE TIME][CPLDAPCL] The date string to check: 0
[vpnd PID ...]@Host[DATE TIME][CPLDAPCL] Attribute check failed
[vpnd PID ...]@Host[DATE TIME][CPLDAPCL] Check Method Failed For Fw Attribute expiration_date

Cause

There are two different values that mean "Account never expires" on Microsoft Active Directory.

1. 0x7FFFFFFFFFFFFFFF (9223372036854775807)
2. 0

If the Gateway receives the second value, it will be ignored and the value from the user template on SmartConsole will be taken. If the expiration date on the template has passed, the user will get the error.

Solution

Note: To view this solution you need to Sign In .