Can WinSCP check for password expiry using fine-grained password policy?

Advertisement

zhaodn
Joined:
Posts:
4

Can WinSCP check for password expiry using fine-grained password policy?

We encountered a incident where user could not be authenticated via WinSCP due to password expiry of 90 days in default domain policy, although password expiry was set to 365 days in fine-grained password policy.
Please advise if WinSCP can check for password expiry using fine-grained password policy.
Thanks in advance.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
28,287
Location:
Prague, Czechia

Re: Can WinSCP check for password expiry using fine-grained password policy?

zhaodn wrote:

Please advise if WinSCP can check for password expiry using fine-grained password policy.
No idea what that is. Can you share some reference? And a verbose session log file?

Reply with quote

zhaodn
Joined:
Posts:
4

Re: Can WinSCP check for password expiry using fine-grained password policy?

Hi Martin,

Below are some references I found for fine-grained password policy.

Basically there are 2 ways to set password expiry, GPO-based or fine-grained policies:
https://blogs.manageengine.com/corporate/general/2017/01/13/microsoft-password-policies-gpo-based-vs-fine-grained-policies.html

The way to set password expiry using fine-grained policies:
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

Fine-grained password policies works but it seems not all applications can derive the fine-grained password expiry from the resultant set of policy, e.g. Windows "net user" command still shows the GPO-based expiry.
https://social.technet.microsoft.com/Forums/ie/en-US/5a2dd69c-40ad-4065-88ed-1b0a7bdf4414/fine-grain-policy-no-expiration-password-policy-question?forum=winserverGP

So we would like to confirm if WinSCP also derive the password expiry from GPO, if not what is the setting to let WinSCP check for password expiry using fine-grained password policy.

Hope my explanation of the problem is clear. Thanks.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
28,287
Location:
Prague, Czechia

Re: Can WinSCP check for password expiry using fine-grained password policy?

Thanks for the links. Can you post the log file too?

Reply with quote

zhaodn
Joined:
Posts:
4

Re: Can WinSCP check for password expiry using fine-grained password policy?

Sorry Martin, I only have a screenshot of the error encountered. We are using public key but WinSCP still checks for password expiry of the account, which is another thing that puzzled us at that time. Issue resolved after we reset password for the account.

Hope you can explain how authentication works for WinSCP, does it check password expiry even if we are using public key and does it checks only GPO based password expiry?[/img]
  • password expired.jpg (106.93 KB, Private file)

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
28,287
Location:
Prague, Czechia

Re: Can WinSCP check for password expiry using fine-grained password policy?

WinSCP does not check any password expiry at all! That error message comes from your server.

You haven't told us even what protocol are you using, so I'm even not sure what authentication are you referring to.

Also that message looks like it comes from an SSH server, so it actually looks like WinSCP managed to get through a proxy. That's all too confusing.

Please get us a log file!

Reply with quote

zhaodn
Joined:
Posts:
4

Re: Can WinSCP check for password expiry using fine-grained password policy?

Hi Martin,
We are using SFTP protocol to connect to a Tectia SSH Server. Since the message comes from the server, I should probably raise my question to Tectia instead. Thanks for your help!

Reply with quote

Advertisement

You can post new topics in this forum