Symptoms

Consider the following scenario:

  • An administrator has forms-based authentication (FBA) set up in Microsoft Forefront Threat Management Gateway (TMG) 2010.

  • The distinguished name (DN) attribute for a user contains a forward slash (/) and an Active Directory Lightweight Directory Access Protocol (LDAP)-defined special character.

  • The user tries to change his or her password.

In this scenario, the password change is unsuccessful, and the user receives the following generic error message:

Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.

Additionally, tracing in TMG 2010 may indicate that ADsOpenObject failed with 0x80005000 (E_ADS_BAD_PATHNAME) or 0x80072032 (ERROR_DS_INVALID_DN_SYNTAX) because the special character in the LDAP request escaped.

Cause

This problem occurs for any Active Directory user account for which the DN attribute contains an Active Directory special character and a forward slash character. 

Resolution

To resolve this problem, install Rollup 4 for Forefront Threat Management Gateway 2010 Service Pack 2.After you apply this update, you can configure Threat Management Gateway to use the objectGUID attribute instead of the DistinguishedName attribute in Active Directory LDAP path to resolve the issue that is described in this article. To enable this functionality, follow these steps:

  1. Copy and paste the following script into Notepad, and then save it by using the "EnableKB2888619.vbs" file name:

    set curArray = CreateObject("FPC.Root").GetContainingArray()Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"Const SE_VPS_NAME = "UseObjectGUIDInLDAPADsPath"Const SE_VPS_VALUE = 1Sub SetValue()' Create the root obect.Dim root ' The FPCLib.FPC root objectSet root = CreateObject("FPC.Root")'Declare the other objects needed.Dim array ' An FPCArray objectDim VendorSets ' An FPCVendorParametersSets collectionDim VendorSet ' An FPCVendorParametersSet object' Obtain references to the array object' and the network rules collection.Set array = curArray Set VendorSets = array.VendorParametersSetsOn Error Resume NextSet VendorSet = VendorSets.Item( SE_VPS_GUID )If Err.Number <> 0 ThenErr.Clear' Add the itemSet VendorSet = VendorSets.Add( SE_VPS_GUID )CheckErrorWScript.Echo "New VendorSet added... " & VendorSet.NameElseWScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)End IfIf VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE ThenErr.ClearVendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUEIf Err.Number <> 0 ThenCheckErrorElseVendorSets.Save false, trueCheckErrorIf Err.Number = 0 ThenWScript.Echo "Done with " & SE_VPS_NAME & ", saved!"End IfEnd IfElseWScript.Echo "Done with " & SE_VPS_NAME & ", no change!"End IfEnd SubSub CheckError()If Err.Number <> 0 ThenWScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.DescriptionErr.ClearEnd IfEnd SubSetValue

  2. Run the script on one of the Threat Management Gateway array members. The script change will take effect when the Threat Management Gateway configuration synchronizes. No Firewall service restart is necessary for the change to take effect.

  3. To revert the change and return to the original behavior, locate the following line in the script:

    Const SE_VPS_VALUE = 1

  4. Change that line as follows:

    Const SE_VPS_VALUE = 0

  5. Save the script, and then run the script on one of the array members.

Workaround

To work around this problem, remove the forward slash or the Active Directory special character from the DN attribute of the user.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Escaped special characters in Active Directory attributes are as follows:

  • Comma (,)

  • Backslash (\)

  • Number sign (#)

  • Plus sign (+)

  • Less than sign (<)

  • Greater than sign ( )

  • Semicolon (;)

  • Quotation mark (")

  • Equal sign (=)

  • Leading or trailing spaces

Example of user account attributes:

sAMAccountName: JeffSmithdisplayName: Smith, Jeff / TMGdistinguishedName: CN=Smith\, Jeff / TMG,OU=Support,DC=Fabrikam,DC=comNotes

  • The backslash escape character (\) is automatically added to the DN.

  • The distinguishedName attribute for this user account contains both the Active Directory special character comma (,) and the forward slash (/).

References

For more information, see the following:

See the terminology Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders