Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Note These issues also apply to Microsoft Forefront Threat Management Gateway 2010.

Issue 1:

Consider the following scenario:

  • You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.

  • You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.

  • The listener is configured to let users change their passwords.

  • You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains

  • The account for the user who tries to log on is located in a domain in a remote trusted forest.

In this scenario, users cannot log on if their password is expired or if the account is set to User must change password at next logon. Error 1907 (ERROR_PASSWORD_MUST_CHANGE) is logged in the web proxy log.

Issue 2:

Consider the following scenario:

  • You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.

  • You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.

  • The listener is configured to let users change passwords.

  • You have a web publishing rule that uses this listener to publish a website.

  • You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains

  • The connection that ISA Server 2006 opened to the global catalog server was unexpectedly closed, for example, by a firewall between the two servers.

  • The user who is logging on has specified the user name in an NT4/SAM-based naming format.

  • The new password that is specified by the user meets complexity requirements.

In this scenario, users from all domains cannot change their passwords. When they try to change a password, they receive the following error message:

Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.

If the user specifies a user name that uses a UPN format, the user can change the password. If the ISA Server 2006 Firewall Service is restarted, users might also be able to change a password until the connection to the global catalog server is broken again.

Cause

Issue 1:

This issue occurs when the user is not redirected to the password change page because ISA Server 2006 does not check the account status for accounts in the remote forests. Therefore, it tries to use the credentials that the user provided to log on the user. The password is no longer valid. Therefore, the attempt fails, and error 1907 (ERROR_PASSWORD_MUST_CHANGE) is returned.

Issue 2:

This issue occurs when the handle for sending messages to the global catalog server is reused. When the handle fails, this prevents ISA Server 2006 from checking the user account status.

Resolution

Microsoft Internet Security and Acceleration (ISA) 2006

To resolve this problem, install the ISA Server 2006 hotfix rollup package that is described in the following Microsoft Knowledge Base article:

2616326 Description of the ISA Server 2006 hotfix package: September 2011

Microsoft Forefront Threat Management Gateway 2010

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Microsoft Forefront Threat Management Gateway 2010 Service Pack 2

How to enable this fix

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.


To enable this fix for ISA Server 2006 or for Forefront Threat Management Gateway 2010, run the EnableMultipleFlatUserName.vbs script to enable the functionality that is provided by this fix. To do this, follow these steps:

  1. Click Start, click Run, type notepad, and then click OK.

  2. Copy the following script into a Notepad file, and then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension.

    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableMultipleFlatUserName"
    Const SE_VPS_VALUE = true

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
    Err.Clear

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If

    End Sub

    SetValue
  3. Save the file to a temporary folder. For example, save the file as EnableMultipleFlatUserName.vbs to the C:\EnableMultipleFlatUserName folder.

  4. At a command prompt, go to the location in which you saved the .vbs file in step 3, and then run the .vbs file. For example, run the following commands:

    cd C:\EnableMultipleFlatUserName
    cscript EnableMultipleFlatUserName.vbs

Note You must restart the ISA Server-related services or the Forefront Threat Management Gateway server-related services after you enable this fix.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×