Consider the following scenario:

  • You publish a website by using Microsoft Forefront Threat Management Gateway (TMG) 2010.

  • You configure the Web Listener to use Forms Based Authentication (FBA) with Lightweight Directory Access Protocol (LDAP).

  • The LDAP Login Expression is configured to use multiple wildcard characters such as *@contoso*.

In this scenario, the LDAP Login Expression string comparison may become case-sensitive. Then, when a user provides a string such as, the string may not match the LDAP Login Expression.

Note This works as expected and is case-insensitive when only one wildcard character is used in the LDAP Login Expression.


This problem occurs because the LDAP Login Expression code incorrectly uses case-sensitive string comparisons when multiple wildcard characters are used.


To resolve this issue, install the hotfix package that is described in the following Microsoft Knowledge Base article:

2649961 Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!