Upgrade your Internet Experience

Article ID: 957859 - Last Review: August 31, 2009 - Revision: 2.0

The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

After you apply Microsoft Internet Security and Acceleration (ISA) Server Service Pack 1 (SP1), you may notice that the "change password" feature does not work as expected.

For example, in Active Directory settings, you enable the "User must change password at next logon" setting for a certain user account. However, when the user tries to log on by using forms-based authentication (FBA) when the "change password" feature is enabled in ISA Server, the user is not automatically redirected to the form that is used to change the password.
Back to the top

CAUSE

This problem occurs when FBA is used together with Lightweight Directory Access Protocol (LDAP). In ISA Server 2006 SP1, the default behavior was changed when you use FBA together with LDAP. This change was made to help guard against authentication attacks.

For more information, visit the "Changes in Service Pack 1" section of the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc514301.aspx (http://technet.microsoft.com/en-us/library/cc514301.aspx)
Back to the top

RESOLUTION

To resolve this problem, follow these steps:
  1. Install the hotfix package that is described in the following Microsoft Knowledge Base article:
    959357  (http://support.microsoft.com/kb/959357/ ) Description of the ISA Server 2006 hotfix package: October 29, 2008
  2. Start Notepad.
  3. Paste the following script into the Notepad file.
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

'    This code is Copyright (c) 2007 Microsoft Corporation.  
'
'    All rights reserved.
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
'    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

If Not WScript.Arguments.Named.Exists("WebListener") Then
    WScript.Echo "WebListener not defined"
    WScript.Quit(1)
End If

Set fpcRoot = CreateObject("FPC.Root")
Set fpcArray = fpcRoot.GetContainingArray()
Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))
Set fpcWebListenerVps = fpcWebListener.VendorParametersSets

On Error Resume Next
Set fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
If Err.number = 0 Then
    CookieAuthVpsExists = True
Else
    CookieAuthVpsExists = False
End If
Err.Clear
On Error GoTo 0

If Not CookieAuthVpsExists Then
    WScript.Echo "Cookie auth VPS settings not defined, hotfix 957859 disabled"
Else
    On Error Resume Next
    WScript.Echo "EnableLDAPPasswordExpiration: " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
End If

If WScript.Arguments.Named.Exists("Value") Then
    If Not CookieAuthVpsExists Then
        Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
    End If
    fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)
    fpcArray.Save
    WScript.Echo "EnableLDAPPasswordExpiration set to " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
End If
  4. Save this Notepad file by using the .vbs file name extension. For example, use the following name to save this file:
    EnableHotfix957859.vbs
  5. Open a command prompt, move to the location where you saved the EnableHotfix957859.vbs file, and then type the following command:
    Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:true
    Note In this command, replace <listener name> with the actual name of the Web listener.
Important: If you want to remove hotfix 959357, follow these steps:
  1. Start Notepad.
  2. Paste the following script into the Notepad file.
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

'    This code is Copyright (c) 2007 Microsoft Corporation.  
'
'    All rights reserved.
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
'    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

If Not WScript.Arguments.Named.Exists("WebListener") Then
    WScript.Echo "WebListener not defined"
    WScript.Quit(1)
End If

Set fpcRoot = CreateObject("FPC.Root")
Set fpcArray = fpcRoot.GetContainingArray()
Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))
Set fpcWebListenerVps = fpcWebListener.VendorParametersSets

On Error Resume Next
Set fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
If Err.number = 0 Then
    CookieAuthVpsExists = True
Else
    CookieAuthVpsExists = False
End If
Err.Clear
On Error GoTo 0

If Not CookieAuthVpsExists Then
    WScript.Echo "Cookie auth VPS settings not defined, hotfix 957859 disabled"
Else
    On Error Resume Next
    WScript.Echo "EnableLDAPPasswordExpiration: " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
End If

If WScript.Arguments.Named.Exists("Value") Then
    If Not CookieAuthVpsExists Then
        Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
    End If
    fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)
    fpcArray.Save
    WScript.Echo "EnableLDAPPasswordExpiration set to " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
End If
  3. Save this Notepad file by using the .vbs file name extension. For example, use the following name to save this file:
    DisableHotfix957859.vbs
  4. Open a command prompt, move to the location where you saved the DisableHotfix957859.vbs file, and then type the following command:
    Cscript DisableHotfix957859.vbs /webListener:<listener name> /Value:false
    Note In this command, replace <listener name> with the actual name of the Web listener.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Back to the top
Keywords: 
kbexpertiseinter kbfix kbsurveynew kbqfe KB957859
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations