Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

You have Microsoft Forefront Unified Access Gateway (UAG) 2010 configured to enable users to change their passwords and to prompt those users to change their passwords before their passwords expire. If Active Directory integrated authentication is configured on the Forefront UAG authentication repository, an incorrect domain password policy may be used. This problem can result in the following:

  • Too frequent password change prompts

  • Password change prompts not being made when they are necessary

Cause

This problem occurs when Active Directory integrated authentication is configured on an authentication server or repository. In this case, Forefront UAG uses global catalog servers to authenticate users and determine user information such as password expiration.

The global catalog server discovery is not related to the Forefront UAG server domain and is instead based on Site and Forest global catalog placement as determined by round-robin Domain Name System (DNS) ordering.

When Forefront UAG requests the password expiration for a user from a global catalog server, the global catalog server uses the domain password policy from its own domain when it makes this calculation instead of the password policy from the user domain. By design, this is the default Windows behavior and could result in an incorrect password expiration being returned to Forefront UAG. This behavior depends on the password policies that are used and the domain of the user and global catalog server that is being used.

Resolution

To resolve this problem, install Service Pack 4 for Microsoft Forefront Unified Access Gateway 2010.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

After Service Pack 4 is installed, the global catalog servers will query a domain controller from the users' domain to determine password expiration. This change makes sure that the correct domain password policy is used for the password expiration calculations.

References

See the terminology Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×