diff --git a/apps/authentication/backends/api.py b/apps/authentication/backends/api.py
index 308c441a2..892ebcc7c 100644
--- a/apps/authentication/backends/api.py
+++ b/apps/authentication/backends/api.py
@@ -8,7 +8,7 @@ from django.core.cache import cache
 from django.utils.translation import ugettext as _
 from six import text_type
 from django.contrib.auth import get_user_model
-from django.contrib.auth.backends import ModelBackend as DJModelBackend
+from django.contrib.auth.backends import ModelBackend
 from rest_framework import HTTP_HEADER_ENCODING
 from rest_framework import authentication, exceptions
 from common.auth import signature
@@ -17,6 +17,9 @@ from common.utils import get_object_or_none, make_signature, http_to_unixtime
 from ..models import AccessKey, PrivateToken
 
 
+UserModel = get_user_model()
+
+
 def get_request_date_header(request):
     date = request.META.get('HTTP_DATE', b'')
     if isinstance(date, text_type):
@@ -25,9 +28,16 @@ def get_request_date_header(request):
     return date
 
 
-class ModelBackend(DJModelBackend):
+class JMSModelBackend(ModelBackend):
     def user_can_authenticate(self, user):
-        return user.is_valid
+        return True
+
+    def get_user(self, user_id):
+        try:
+            user = UserModel._default_manager.get(pk=user_id)
+        except UserModel.DoesNotExist:
+            return None
+        return user if user.is_valid else None
 
 
 class AccessKeyAuthentication(authentication.BaseAuthentication):
@@ -203,7 +213,7 @@ class SignatureAuthentication(signature.SignatureAuthentication):
             return None, None
 
 
-class SSOAuthentication(ModelBackend):
+class SSOAuthentication(JMSModelBackend):
     """
     什么也不做呀😺
     """
@@ -212,7 +222,7 @@ class SSOAuthentication(ModelBackend):
         pass
 
 
-class WeComAuthentication(ModelBackend):
+class WeComAuthentication(JMSModelBackend):
     """
     什么也不做呀😺
     """
@@ -221,7 +231,7 @@ class WeComAuthentication(ModelBackend):
         pass
 
 
-class DingTalkAuthentication(ModelBackend):
+class DingTalkAuthentication(JMSModelBackend):
     """
     什么也不做呀😺
     """
@@ -230,7 +240,7 @@ class DingTalkAuthentication(ModelBackend):
         pass
 
 
-class AuthorizationTokenAuthentication(ModelBackend):
+class AuthorizationTokenAuthentication(JMSModelBackend):
     """
     什么也不做呀😺
     """
diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index 5eeceb7c3..a05d3926f 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -236,6 +236,11 @@ class AuthMixin:
         ip = self.get_request_ip()
         request = self.request
 
+        if user.is_expired:
+            self.raise_credential_error(errors.reason_user_expired)
+        elif not user.is_active:
+            self.raise_credential_error(errors.reason_user_inactive)
+
         self._set_partial_credential_error(user.username, ip, request)
         self._check_is_local_user(user)
         self._check_is_block(user.username)
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index a4b2fb296..b3c322799 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -120,7 +120,7 @@ LOGIN_CONFIRM_ENABLE = CONFIG.LOGIN_CONFIRM_ENABLE
 OTP_IN_RADIUS = CONFIG.OTP_IN_RADIUS
 
 
-AUTH_BACKEND_MODEL = 'authentication.backends.api.ModelBackend'
+AUTH_BACKEND_MODEL = 'authentication.backends.api.JMSModelBackend'
 AUTH_BACKEND_PUBKEY = 'authentication.backends.pubkey.PublicKeyAuthBackend'
 AUTH_BACKEND_LDAP = 'authentication.backends.ldap.LDAPAuthorizationBackend'
 AUTH_BACKEND_OIDC_PASSWORD = 'jms_oidc_rp.backends.OIDCAuthPasswordBackend'