Bug / design change request - Modern Connect Tunnel Client and expiring password
let me start by saying I REALLY like the functionality in the SMA 1000 series with the (modern) Connect Tunnel Client. But I have an issue and have not been able to get anyone to take it seriously. It is a SERIOUS design oversight that could be remedied easily but nobody seems to understand it.
Scenario - Modern Connect Tunnel client - using always on operation with Device VPN and User VPN Functions. When the remote PC/laptop powers on, the Device VPN connects with limited network access. It can get windows patches, antivirus updates, other machine management. Then when the user enters their credentials, the modern connect tunnel client switches to User VPN mode, and there is more access to things like file shares, accounting or other restricted systems, etc.
The problem: (some background) My users are required to change their passwords every 90 days and this may be getting lowered to 70 days) 14 days BEFORE the users password expires, the modern connect tunnel client shows a message that states "Your password will expire in 14 days" and it does this every day until the password is changed or expires.
BUG: Even though the modern connect tunnel client has a valid, working, user password, it does not log in. Rather it displays the warning in a modal dialog that the user cannot respond to until the desktop appears. So, the user login and any login scripts, etc. happen using the Device VPN which (in my case) does not have access to "user" resources like shares, etc. So the user lands at a desktop missing mapped drives, any pre-login scripts ran as the device rather than the user and likely failed. BUG: the client had the users password. It was valid. But it does not PROPERLY use that valid password to switch from Device Mode to User mode when the user enters their VALID password. BECAUSE OF THE WAY THE PASSWORD EXPIRATION NOTICE IS IMPLEMENTED THE USER HAS AS MANY AS 14 DAYS OF "FAILED" LOGINS/SESSIONS OUT OF THEIR 90 DAY PASSWORD CYCLE.
EASY FIX: Re-Engineer the password expiration notice to first USE the valid password to connect User mode and THEN display the dialog with the password expiration warning.
I suppose I could dig around and probably disable the password expiration notice, but PLEASE, PLEASE, PLEASE, get this relatively easy fix on your list of enhancements. I can only assume that if the engineers think this through they will understand why you would not want to provide a non-working environment up to 14 days out of every password cycle. In fairness, I have never raised this as a separate ticket, but have mentioned it on pretty much every support call ever. Other SMA 1000 / modern Connect Tunnel client users PLEASE comment if you would like to see this fix implemented.
Here is the dialog users see when their session is broken due to the behavior of the connect tunnel client: