diff --git a/management/univention-management-console/src/univention/management/console/pam.py b/management/univention-management-console/src/univention/management/console/pam.py
index 695c03a..ec5316f 100644
--- a/management/univention-management-console/src/univention/management/console/pam.py
+++ b/management/univention-management-console/src/univention/management/console/pam.py
@@ -125,7 +125,8 @@ def authenticate(self, username, password, **answers):
 			PAM_PROMPT_ECHO_OFF: password,
 		})
 		missing = []
-		self.start(username, (answers, [], missing))
+		prompts = []
+		self.start(username, (answers, prompts, missing))
 
 		try:
 			self.pam.authenticate()
@@ -139,6 +140,9 @@ def authenticate(self, username, password, **answers):
 			if missing:
 				message = _('Please insert your one time password (OTP).')
 				raise AuthenticationInformationMissing(message, missing)
+			if pam_err[1] == PAM_AUTH_ERR:  # workaround for broken defer_pwchange in pam_krb5 + AD
+				if any(x.strip(' :') in ('New password',) for x, y in prompts):
+					raise PasswordExpired(self.error_message(PAMError('workaround', PAM_NEW_AUTHTOK_REQD)))
 			raise AuthenticationFailed(self.error_message(pam_err))
 
 	def change_password(self, username, old_password, new_password):