PAM/SSSD -- password change prompt not displayed

[sruckh at gemneye.org]

I have a PAM/SSSD configuration authenticating against Active Directory 
(using pam_sss.so) on Red Hat Enterprise Linux 7.x. The [auth] section 
is configured like below:

auth sufficient pam_sss.so forward_pass

In active directory the user is flagged to force password change at next 
login.

When this particular user logs in the following is logged (sssd logs; 
debug_level=6):

(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [12 (Authentication token is no longer valid; new one 
required)][AD]
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [12]: Authentication token is no longer valid; new 
one required.
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [filter_responses] (0x0100): 
[pam_response_filter] not available, not fatal.
(Fri Aug 17 14:02:06 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 19

In /var/log/secure the following items can be found

Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 
user=someuser
Aug 16 14:02:16 hostname sshd[48860]: pam_sss(sshd:auth): received for 
user someuser: 12 (Authentication token is no longer valid; new one 
required)

The issue being that the user is never prompted to change password, but 
rather a valid shell is open and user is logged in.  The expectation 
being that the user would be prompted to change password instead.

If the user runs 'passwd' from the command line after being logged in, 
the password is successfully changed, and the flag to force password 
change is removed from Active Directory.

If pam_sss fails, which I assume it does based on the message 
"authentication failure", why is the user never prompted to change 
password?

Thank You.
Scott