FIX: A password change is unsuccessful if a user's DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront Threat Management Gateway 2010

Applies to: Forefront Threat Management Gateway 2010 EnterpriseForefront Threat Management Gateway 2010 Standard

Symptoms


Consider the following scenario:
  • An administrator has forms-based authentication (FBA) set up in Microsoft Forefront Threat Management Gateway (TMG) 2010.
  • The distinguished name (DN) attribute for a user contains a forward slash (/) and an Active Directory Lightweight Directory Access Protocol (LDAP)-defined special character.
  • The user tries to change his or her password.


In this scenario, the password change is unsuccessful, and the user receives the following generic error message:

Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.
Additionally, tracing in TMG 2010 may indicate that ADsOpenObject failed with 0x80005000 (E_ADS_BAD_PATHNAME) or 0x80072032 (ERROR_DS_INVALID_DN_SYNTAX) because the special character in the LDAP request escaped.

Cause


This problem occurs for any Active Directory user account for which the DN attribute contains an Active Directory special character and a forward slash character. 

Resolution


To resolve this problem, install Rollup 4  for Forefront Threat Management Gateway 2010 Service Pack 2.

After you apply this update, you can configure Threat Management Gateway to use the objectGUID attribute instead of the DistinguishedName attribute in Active Directory LDAP path to resolve the issue that is described in this article. To enable this functionality, follow these steps:
  1. Copy and paste the following script into Notepad, and then save it by using the "EnableKB2888619.vbs" file name:

    set curArray = CreateObject("FPC.Root").GetContainingArray()
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"
    Const SE_VPS_NAME = "UseObjectGUIDInLDAPADsPath"
    Const SE_VPS_VALUE = 1

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Obtain references to the array object
    ' and the network rules collection.
    Set array = curArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
    Err.Clear

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    If VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If

    End Sub

    SetValue

  2. Run the script on one of the Threat Management Gateway array members. The script change will take effect when the Threat Management Gateway configuration synchronizes. No Firewall service restart is necessary for the change to take effect.
  3. To revert the change and return to the original behavior, locate the following line in the script:

    Const SE_VPS_VALUE = 1

  4. Change that line as follows:

    Const SE_VPS_VALUE = 0

  5. Save the script, and then run the script on one of the array members.

Workaround


To work around this problem, remove the forward slash or the Active Directory special character from the DN attribute of the user.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


Escaped special characters in Active Directory attributes are as follows:
  • Comma (,)
  • Backslash (\)
  • Number sign (#)
  • Plus sign (+)
  • Less than sign (<)
  • Greater than sign ( )
  • Semicolon (;)
  • Quotation mark (")
  • Equal sign (=)
  • Leading or trailing spaces

Example of user account attributes:

sAMAccountName: JeffSmith
displayName: Smith, Jeff / TMG
distinguishedName: CN=Smith\, Jeff / TMG,OU=Support,DC=Fabrikam,DC=com


Notes
  • The backslash escape character (\) is automatically added to the DN.
  • The distinguishedName attribute for this user account contains both the Active Directory special character comma (,) and the forward slash (/).

References


For more information, see the following:
See the terminology Microsoft uses to describe software updates.