Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Consider the following scenario:

  • An administrator has forms-based authentication (FBA) set up in Microsoft Forefront Threat Management Gateway (TMG) 2010.

  • The distinguished name (DN) attribute for a user contains a forward slash (/) and an Active Directory Lightweight Directory Access Protocol (LDAP)-defined special character.

  • The user tries to change his or her password.



In this scenario, the password change is unsuccessful, and the user receives the following generic error message:

Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.

Additionally, tracing in TMG 2010 may indicate that ADsOpenObject failed with 0x80005000 (E_ADS_BAD_PATHNAME) or 0x80072032 (ERROR_DS_INVALID_DN_SYNTAX) because the special character in the LDAP request escaped.

Cause

This problem occurs for any Active Directory user account for which the DN attribute contains an Active Directory special character and a forward slash character. 

Resolution

To resolve this problem, install Rollup 4 for Forefront Threat Management Gateway 2010 Service Pack 2.

After you apply this update, you can configure Threat Management Gateway to use the objectGUID attribute instead of the DistinguishedName attribute in Active Directory LDAP path to resolve the issue that is described in this article. To enable this functionality, follow these steps:

  1. Copy and paste the following script into Notepad, and then save it by using the "EnableKB2888619.vbs" file name:

    set curArray = CreateObject("FPC.Root").GetContainingArray()
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"
    Const SE_VPS_NAME = "UseObjectGUIDInLDAPADsPath"
    Const SE_VPS_VALUE = 1

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Obtain references to the array object
    ' and the network rules collection.
    Set array = curArray 
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
    Err.Clear

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    If VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If

    End Sub

    SetValue


  2. Run the script on one of the Threat Management Gateway array members. The script change will take effect when the Threat Management Gateway configuration synchronizes. No Firewall service restart is necessary for the change to take effect.

  3. To revert the change and return to the original behavior, locate the following line in the script:

    Const SE_VPS_VALUE = 1

  4. Change that line as follows:

    Const SE_VPS_VALUE = 0

  5. Save the script, and then run the script on one of the array members.


Workaround

To work around this problem, remove the forward slash or the Active Directory special character from the DN attribute of the user.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Escaped special characters in Active Directory attributes are as follows:

  • Comma (,)

  • Backslash (\)

  • Number sign (#)

  • Plus sign (+)

  • Less than sign (<)

  • Greater than sign ( )

  • Semicolon (;)

  • Quotation mark (")

  • Equal sign (=)

  • Leading or trailing spaces


Example of user account attributes:

sAMAccountName: JeffSmith
displayName: Smith, Jeff / TMG
distinguishedName: CN=Smith\, Jeff / TMG,OU=Support,DC=Fabrikam,DC=com

Notes

  • The backslash escape character (\) is automatically added to the DN.

  • The distinguishedName attribute for this user account contains both the Active Directory special character comma (,) and the forward slash (/).


References

For more information, see the following:


See the terminology Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×