The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 or if you use Microsoft Threat Management Gateway 2010

Article translations Article translations
Article ID: 957859 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

After you apply Microsoft Internet Security and Acceleration (ISA) Server Service Pack 1 (SP1) or if you use Microsoft Forefront Threat Management Gateway (TMG) 2010, you may notice that the "change password" feature does not work as expected. 

For example, in Active Directory settings, you enable the "User must change password at next logon" setting for a certain user account. However, when the user tries to log on by using forms-based authentication (FBA) when the "change password" feature is enabled in ISA Server or TMG Server, the user is not automatically redirected to the form that is used to change the password.

CAUSE

This problem occurs when FBA is used together with Lightweight Directory Access Protocol (LDAP). In ISA Server 2006 SP1, the default behavior was changed when you use FBA together with LDAP. This change was made to help guard against authentication attacks.

For more information, visit the "Changes in Service Pack 1" section of the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc514301.aspx

RESOLUTION

To resolve this problem, follow these steps:
  1. Install the hotfix package that is described in the following Microsoft Knowledge Base article:
    959357 Description of the ISA Server 2006 hotfix package: October 29, 2008
    Please note that the first step is not applicable for Microsoft Threat Management Gateway (TMG) Server. The hotfix is included in the product.
  2. Start Notepad.
  3. Paste the following script into the Notepad file.
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    
    '    This code is Copyright (c) 2007 Microsoft Corporation.  
    '
    '    All rights reserved.
    '
    '    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
    '    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
    '    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
    '    PARTICULAR PURPOSE.
    '
    '    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
    '    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
    '    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
    '    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
    '    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
    '    OF THIS CODE OR INFORMATION.
    '
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    
    If Not WScript.Arguments.Named.Exists("WebListener") Then
        WScript.Echo "WebListener not defined"
        WScript.Quit(1)
    End If
    
    Set fpcRoot = CreateObject("FPC.Root")
    Set fpcArray = fpcRoot.GetContainingArray()
    Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))
    Set fpcWebListenerVps = fpcWebListener.VendorParametersSets
    
    On Error Resume Next
    Set fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
    If Err.number = 0 Then
        CookieAuthVpsExists = True
    Else
        CookieAuthVpsExists = False
    End If
    Err.Clear
    On Error GoTo 0
    
    If Not CookieAuthVpsExists Then
        WScript.Echo "Cookie auth VPS settings not defined, hotfix 957859 disabled"
    Else
        On Error Resume Next
        WScript.Echo "EnableLDAPPasswordExpiration: " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
    End If
    
    If WScript.Arguments.Named.Exists("Value") Then
        If Not CookieAuthVpsExists Then
            Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
        End If
        fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)
        fpcArray.Save
        WScript.Echo "EnableLDAPPasswordExpiration set to " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
    End If 
    
  4. Save this Notepad file by using the .vbs file name extension. For example, use the following name to save this file:
    EnableHotfix957859.vbs
  5. Open a command prompt, move to the location where you saved the EnableHotfix957859.vbs file, and then type the following command:
    Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:true
    Note In this command, replace <listener name> with the actual name of the Web listener.
Important: If you want to remove hotfix 959357, open a command prompt, browse to the location where you saved the EnableHotfix957859.vbs file, and then type the following command: 

Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:false

Note In this command, replace <listener name> with the actual name of the Web listener.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 957859 - Last Review: June 2, 2011 - Revision: 4.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
kbexpertiseinter kbfix kbsurveynew kbqfe KB957859

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com