We have the following case:
User accounts in MS-AD are expiring by a policy. When the password is
expired the AD-user is unable to logon. The user is not redirected to
the SSPR-portal (we configured NAM password expiration servlet) and a
password is expired message exists on the logon page.

MS-AD calculate if a password is expired (password expiration date) with
the attribute pwdlastset and password policy maximum password age.

Strange thing is when I set the option user must change password at
next logon (attribute pwdlastset is then 0, so password is expired) the
AD-user is correctly redirected to the SSPR-portal.
Only when the password is expired by the policy the user is not
redirected to the SSPR-portal and a password is expired message exists
on the logon page.

Can anyone explain this?

I read the documentation:
Redirection to Password Management Servlet Protected by Access Gateway
When Password Expires:
When an Active Directory user with an expired password logs in to an
authentication contract with a Password Expiration servlet configured,
the user is redirected to the password management URI. If the Password
Management portal is protected by Access Manager, the user is prompted
again for authentication and is not permitted to login as the user
password has expired.

I configured the desired steps but then a user can logon with an expired
password but is not redirected to the SSPR-portal. So thats not a
desired solution.

gschouten32's Profile: https://forums.netiq.com/member.php?userid=2546
View this thread: https://forums.netiq.com/showthread.php?t=57263