Cryptzone Support

If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here




« Go Back

This article applies to AppGate (classic).
The feature, and how to configure is explained here:

Note: this feature is about password expiration and not about "account" expiration. Expiration date of a password is set on the Domain level, not in a user object. It is actually calculated. For more details please read here:

In a Active Directory the maximum age for a password must be defined, simple domain example:


User-added image

In this example the max password age is 1 day. If a password of a user has expired, it needs basically to be calculated. In theory this is done by:

The password expiration date is not an attribute on the user object. It is a calculated value based on the sum of pwdLastSet for the user and maxPwdAge of the user's domain. To get the password expiration date, get the IADsUser.PasswordExpirationDate property. You cannot modify this attribute for a user; instead, set the IADsDomain.MaxPasswordAge property to change the setting for the domain.

How AppGate calculates when to warn

AppGate  calculate the remaining days before a password expires as with the following approach:

Note the following timestamps are UNIX time stamps as they are used in AppGate.

         X = "number of days to warn before password expires".
       now = 1418122792 #Tue, 09 Dec 2014 10:59:52 GMT
 maxPwdAge = 86400      #value from Domain object
pwdLastSet = 1418046954 #Mon, 08 Dec 2014 13:55:54; value from user object
if now() > ((pwdLastSet + maxPwdAge) - 86400 * warnDays) then warn()

Configuration in AppGate Console

User-added image

Now, when a user logs in where on the AppGate Server it is defined to warn user x days before, you will see a message as the following:


User-added image



Set ag_userd to debug 4. The logs will show the following lines if a warning should be shown (the values match the calculation above):

ag_userd get_ad_pass_flags(): maxPwdAge = 86400, pwdLastSet = 1418046954, time() - pwdLastSet = 73782, userAccountControl = 0x200, flags = CAN_EXPIRE WARN_EXPIRE CAN_CHANGE , 0 seconds
Article Info
3/13/2015 8:43 AM
1/10/2017 5:12 PM



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255