FIX: Users in remote forests cannot change their passwords through ISA Server 2006 or Forefront Threat Management Gateway 2010

Article translations Article translations
Article ID: 2618727 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Note These issues also apply to Microsoft Forefront Threat Management Gateway 2010.

Issue 1:

Consider the following scenario:
  • You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.
  • You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.
  • The listener is configured to let users change their passwords.
  • You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains
  • The account for the user who tries to log on is located in a domain in a remote trusted forest.
In this scenario, users cannot log on if their password is expired or if the account is set to User must change password at next logon. Error 1907 (ERROR_PASSWORD_MUST_CHANGE) is logged in the web proxy log.

Issue 2:

Consider the following scenario:
  • You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.
  • You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.
  • The listener is configured to let users change passwords.
  • You have a web publishing rule that uses this listener to publish a website.
  • You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains
  • The connection that ISA Server 2006 opened to the global catalog server was unexpectedly closed, for example, by a firewall between the two servers.
  • The user who is logging on has specified the user name in an NT4/SAM-based naming format.
  • The new password that is specified by the user meets complexity requirements.
In this scenario, users from all domains cannot change their passwords. When they try to change a password, they receive the following error message:
Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.
If the user specifies a user name that uses a UPN format, the user can change the password. If the ISA Server 2006 Firewall Service is restarted, users might also be able to change a password until the connection to the global catalog server is broken again.

CAUSE

Issue 1:

This issue occurs when the user is not redirected to the password change page because ISA Server 2006 does not check the account status for accounts in the remote forests. Therefore, it tries to use the credentials that the user provided to log on the user. The password is no longer valid. Therefore, the attempt fails, and error 1907 (ERROR_PASSWORD_MUST_CHANGE) is returned.

Issue 2:

This issue occurs when the handle for sending messages to the global catalog server is reused. When the handle fails, this prevents ISA Server 2006 from checking the user account status.

RESOLUTION

Microsoft Internet Security and Acceleration (ISA) 2006

To resolve this problem, install the ISA Server 2006 hotfix rollup package that is described in the following Microsoft Knowledge Base article:
2616326 Description of the ISA Server 2006 hotfix package: September 2011

Microsoft Forefront Threat Management Gateway 2010

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2555840 Microsoft Forefront Threat Management Gateway 2010 Service Pack 2

How to enable this fix

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To enable this fix for ISA Server 2006 or for Forefront Threat Management Gateway 2010, run the EnableMultipleFlatUserName.vbs script to enable the functionality that is provided by this fix. To do this, follow these steps:
  1. Click Start, click Run, type notepad, and then click OK.
  2. Copy the following script into a Notepad file, and then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableMultipleFlatUserName"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  3. Save the file to a temporary folder. For example, save the file as EnableMultipleFlatUserName.vbs to the C:\EnableMultipleFlatUserName folder.
  4. At a command prompt, go to the location in which you saved the .vbs file in step 3, and then run the .vbs file. For example, run the following commands:
    cd C:\EnableMultipleFlatUserName
    cscript EnableMultipleFlatUserName.vbs
Note You must restart the ISA Server-related services or the Forefront Threat Management Gateway server-related services after you enable this fix.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2618727 - Last Review: January 20, 2012 - Revision: 3.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1, when used with:
    • Microsoft Forefront Threat Management Gateway 2010 Enterprise
    • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
kbqfe kbHotfixServer kbfix kbhotfixrollup kbpasswords kbexpertiseadvanced KB2618727

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com