An incorrect domain password policy may be used if Active Directory integrated authentication is configured in Forefront Unified Access Gateway 2010

Applies to: Forefront Unified Access Gateway 2010Microsoft Forefront Unified Access Gateway 2010 Service Pack 1

Symptoms


You have Microsoft Forefront Unified Access Gateway (UAG) 2010 configured to enable users to change their passwords and to prompt those users to change their passwords before their passwords expire. If Active Directory integrated authentication is configured on the Forefront UAG authentication repository, an incorrect domain password policy may be used. This problem can result in the following:
  • Too frequent password change prompts
  • Password change prompts not being made when they are necessary

Cause


This problem occurs when Active Directory integrated authentication is configured on an authentication server or repository. In this case, Forefront UAG uses global catalog servers to authenticate users and determine user information such as password expiration.

The global catalog server discovery is not related to the Forefront UAG server domain and is instead based on Site and Forest global catalog placement as determined by round-robin Domain Name System (DNS) ordering.

When Forefront UAG requests the password expiration for a user from a global catalog server, the global catalog server uses the domain password policy from its own domain when it makes this calculation instead of the password policy from the user domain. By design, this is the default Windows behavior and could result in an incorrect password expiration being returned to Forefront UAG. This behavior depends on the password policies that are used and the domain of the user and global catalog server that is being used.

Resolution


To resolve this problem, install Service Pack 4 for Microsoft Forefront Unified Access Gateway 2010.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


After Service Pack 4 is installed, the global catalog servers will query a domain controller from the users' domain to determine password expiration. This change makes sure that the correct domain password policy is used for the password expiration calculations.

References


See the terminology Microsoft uses to describe software updates.