With the "User must change password at next logon" account option selected in AD on the user account's "Account" tab, the Unix client receives the message "Logon incorrect, please try again" when trying to logon.
This problem will occur with a connection application that doesn't support interactive login prompts. An example of an application that would have this problem is SSH configured to do only password login (not keyboard interactive). This is also a known issue with HPUX's graphical DTLOGIN.
1 - On most unix operating systems, edit the pam.conf an add the acct_mgmt_pw_expire flag to the correct auth service which has pam_vas module in it. For example:
<Service> auth <control-flags> /opt/quest/lib/security/pam_vas.so acct_mgmt_pw_expire
2 - Restart the service
1 - On some operating systems you will need to edit the /etc/pam.d/system-auth or system-auth-ac file
It should look similar to this:
auth <control-flags> /opt/quest/lib/security/pam_vas.so acct_mgmt_pw_expire
From the pam_vas man page:
Due to the fact that a small number of applications incorrectly allow log in when PAM_SUCCESS is returned from pam_authenticate() without making a call to pam_acct_mgmt(), pam_vas handles changing of passwords during the pam_sm_authenticate() call if keyboard interactive authentication is enabled. Traditionally, if an expired password is discovered during the pam_authenticate() function,PAM_SUCCESS is returned and a subsequent call to pam_acct_mgmt() is expected to discover that the password is expired and trigger a call to pam_chauthok() to handle changing the password. Using the acct_mgmt_pw_expire option will force pam_vas to follow this traditional behavior and return SUCCESS from pam_authenticate() when an expired password is discovered. This option should be used to support password change at login if your application does not support keyboard interactive authentication. The HP-UX version of dtlogin is an example of an application that doesn't have correct support for keyboard interactive and requires the use of the acct_mgmt_pw_expire flag to support password change at login.