After AD password change, immediate Middle Tier authentication fails

  • 3874098
  • 05-May-2007
  • 30-Apr-2012


Novell ZENworks 6.5 Desktop Management Support Pack 2 - ZDM6.5 SP2 ZENworks Middle Tier
Novell ZENworks 7 Desktop Management - ZDM7 Middle Tier
Novell ZENworks for Desktops 4.0.1 - ZfD4.0.1
Novell ZENworks Management Agent
Nsure Identity Manager 2.0
Microsoft Active Directory


User associated applications and policies do not show in NAL or apply when you change an expired password on boot up with clientless login in passive authentication mode.


For ZDM6.5 SP2: fixed in ZENworks 6.5 Desktop Management SP2 IR1 or newer found at

For ZDM7: Fixed in ZENworks 7 with SP1 Desktop Management, available at
To realize the fix, you will want to add the following registry keys to each workstation, and set appropriate values for each:




The first value dictates how many times to retry the passive mode login while IDM is trying to sync the password and the second one tells how many seconds to wait in between each retry.

Additional Information

When you are using IDM to synchronize passwords from Active Directory to eDirectory with the ZENworks Agent set to "passive mode" (login to AD first) and your password expires, the ZENworks agent tries to pass the new password to eDirectory too soon. IDM will not have had a chance to synch the password change from AD yet. Thus you fail authentication to eDirectory and no user associated applications or policies will work.

Formerly known as TID# 10098092 NOVL102557