I created a new user in Active Directory with a temporary password and checked the option "User must change password at next logon" during account creation.
When the user tries to log in to the Ignition Gateway (8.1.52) using the temporary password, authentication fails with no meaningful error. The same credentials work fine on a Windows machine (which prompts for a password change), but Ignition simply rejects the login.
What I've Tried:
Verified the username and password are correct
Confirmed the user account is not disabled
Confirmed the AD Identity Provider is configured correctly in Ignition (other users without expired passwords log in fine)
It seems Ignition's AD Identity Provider does not handle the password-must-change challenge. Instead of prompting for a password reset, it treats it as a failed login.
Questions:
Is there a way to handle the password-change challenge within Ignition Gateway?
Is there any configuration in the AD Identity Provider settings to support this flow?
If not natively supported, what is the recommended approach for onboarding new AD users into Ignition?
That's expected behavior. Ignition has no way of setting or changing passwords in AD. The users set up this way will need to first login to a windows PC before logging into Ignition.
It used to be considered best practice, but has not for many years. After research into the pathological behaviors it inspires in users who struggle to remember new passwords. (And resulting security breaches.) Password expiration is now known to be a bad practice.
Your IT should be following modern cyber-security guidelines, like those published by the US-CERT division of the Dept. of Homeland Security, or your government's equivalent.
Had a client company in the last year still enforcing password expiration every 3 months, and I mentioned on a meeting with their cybersecurity team that it is no longer recommended to do that due to this (I've heard stories of many just using the season and year combo to ensure not repeating passwords, so like now would be Spring2026!, and the next one would be Summer2026! because of the fatigue of constantly changing passwords.) They didn't believe me at first but then a few months later I heard they stopped enforcing password changes, so they must have researched it themselves and dropped that policy.