Troubleshoot problems with the Password Change pages that are included in IIS


Summary


This article describes how to troubleshoot the different problems you may experience when you use the Password Change pages that are included with Microsoft Internet Information Services (IIS).

INTRODUCTION


The Password Change pages that are included with IIS let you change user account passwords in a Web page. In each version of IIS, you may experience problems when you use the Password Change pages. This article helps you troubleshoot problems that you may experience and provides steps to make sure that you are using the latest version of the Password Change pages for each version of IIS.

More Information


Install the latest Password Change pages

Before you start to troubleshoot the problem, make sure that you have the latest Password Change pages.

IIS 4.0

Note Because Microsoft Windows NT 4 is no longer a supported operating system, the pages that are included with IIS 4.0 will not be updated to address any problems. However, you can try to update the files by using the files that are included with Windows 2000.

The pages that are included with Windows NT 4.0 Option Pack use the Ism.dll ISAPI extension. Because of the security problems that are associated with this extension, we recommend that do the following:
  • Upgrade these pages to the latest version that use the Asp.dll ISAPI extension for their execution.
  • Use the Active Directory Service Interfaces (ADSI) technology for the functionality of the pages.
To do this, follow these steps:
  1. Install the Active Directory Client Extensions for NT Workstation 4.0. For more information, visit the following Microsoft Web site:
  2. Back up the existing Iisadmpwd folder, and then install the HTR-2-ASP Windows NT 4.0 Package.
  3. Make sure that the HTR pages are mapped to Asp.dll, and make sure that the pages in the Iisadmpwd folder are correctly updated. After you update the HTR pages to use the Microsoft ASP technology, contact Microsoft Product Support Services to receive and to install the hotfix that is described in the following Microsoft Knowledge Base article:
    831047 FIX: You experience various problems when you use the Password Change pages in IIS 5.0

    Note Because Microsoft Windows NT 4 is no longer a supported operating system, the pages that are included with IIS 4.0 will not be updated to address any problems. However, you can try to update the files by using the files that are included with Windows 2000.

IIS 5.0 pre-Service Pack 4

If IIS 5.0 is not upgraded to Windows 2000 Service Pack 4 (SP4), the Password Change pages still use the Ism.dll ISAPI extension. Because of the security problems that are associated with this extension, we recommend that you do the following:
  • Upgrade these pages to the latest version that use the Asp.dll ISAPI extension for their execution.
  • Use the ADSI technology for the functionality of the pages.
To do this, follow these steps:
  1. Download the installation package for Microsoft Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3).
  2. After you install the HTR-2-ASP Windows 2000 Package to make the HTR pages use Asp.dll, contact Microsoft Product Support Services to receive and to install the hotfix that is described in the following Microsoft Knowledge Base article:
    831047 FIX: You experience various problems when you use the Password Change pages in IIS 5.0

IIS 5.0 post-Service Pack 4

If IIS 5.0 has been upgraded to Windows 2000 Service Pack 4, contact Microsoft Product Support Services to receive and to install the hotfix that is described in the following Microsoft Knowledge Base article:
831047 FIX: You experience various problems when you use the Password Change pages in IIS 5.0

IIS 6.0

When you are running IIS 6.0, contact Microsoft Product Support Services to receive and to install the hotfix that is described in the following Microsoft Knowledge Base article:
833734 FIX: You experience various problems when you use the Password Change pages in IIS 6.0

Troubleshooting

After you have verified that you have the latest files installed, if you are still running into problems when you use the Password Change pages, see the following sections to help troubleshoot any problems.

Anonymous User configuration

Make sure that the Anonymous User is the same for both of the following locations:
  • The Iisadmpwd virtual directory
  • The Web site that the Iisadmpwd virtual directory is under
Additionally, make sure that the Anonymous User has appropriate logon permissions on the IIS Web site even if you may not use Anonymous Access on any one of your Web pages. To test whether the anonymous user has the correct permissions on the IIS Web site, configure a simple Web page that only has Anonymous Access as the authentication. Then, try to open that Web page in Microsoft Internet Explorer.

You receive an "Object Required" error message

To resolve this problem, register the Iispwchg.dll file. To register this file in IIS 4.0 and in IIS 5.0, type the following command at a command prompt:
regsvr32 c:\winnt\sytem32\inetsrv\iisadmpwd\iispwchg.dll
To register the file in IIS 6.0, type the following command at a command prompt:
regsvr32 c:\windows\system32\inetsrv\iisadmpwd\iispwchg.dll

You receive an Error -2147022675 "User Not Found" error message

Verify that you correctly entered the user name. If no text box exists to enter the domain name separately, make sure that you enter the user name in either the Domain\UserName format or in the UserName@Domain format.

You receive an Error -2147023545 "Cannot Access Domain Info" error message

Verify that the computer that is running IIS can access the domain controller for the domain that you are running on. Additionally, make sure that you are using a valid domain name.

You receive an Error -2147024845 "Network communication problem" error message

This error message translates to a network error message where the computer that is running IIS cannot communicate with the remote computer. Make sure that the domain controller is available for the domain in which you are trying to change the password. Also, make sure that the domain controller for the domain can communicate with the computer that is running IIS.

You receive an Error -2147023569 "Account Restriction" error message

Make sure that no domain policy is in effect that prevents the user from changing the password. For example, a MinPasswordAge property restriction or a logon hour restriction may be in effect.

You receive a "File Not Found" error message

Typically, this problem occurs when you click Change Password in a Microsoft Outlook Web Access (OWA) client. This problem occurs when one of the following conditions is true:
  • Condition 1: You run a Microsoft Exchange Server 2003 front-end server on IIS 5.0. However, your back-end server is an Exchange 2003-based server that is running on a Windows Server 2003-based computer. In this case, OWA tries to find the Aexp2b.asp file, and this file does not exist on IIS 5.0. To work around this problem, make a copy of the Aexp2b.htr file that is in the Iisadmpwd folder. Then, rename the file Aexp2b.asp.
  • Condition 2: You are running an Exchange 2003 front-end server on IIS 6.0. However, your back-end server is an Exchange 2000-based server that is running on a Windows 2000-based computer. In this case, OWA tries to find the Aexp2b.htr file, and this file does not exist on IIS 6.0. To work around this problem, make a copy of the Aexp2b.asp file that is in the Iisadmpwd folder. Then, rename the file Aexp2b.htr. Additionally, you must add a mapping for the .htr extension to be processed by Asp.dll in the Iisadmpwd virtual directory.
  • Condition 3: You run an Exchange 2003 front-end server on IIS 6.0. However, your back-end is an Exchange 2003-based server that is running on a Windows 2000-based computer. In this case, OWA tries to find the Aexp2b.htr file, and this file does exist on IIS 6.0. To work around this problem, make a copy of the Aexp2b.asp file that is in the Iisadmpwd folder. Then, rename the file Aexp2b.htr. Additionally, you must add a mapping for the .htr extension to be processed by Asp.dll in the Iisadmpwd virtual directory.
In Condition 2 and in Condition 3, you must add a mapping for the .htr extension in the Iisadmpwd virtual directory. To do this, follow these steps:
  1. Click Start, click All Programs, click Administrative Tools, and then click
    Internet Information Services (IIS) Manager.
  2. Locate and then right-click the IISADMPWDvirtual directory, and then click Properties.
  3. In the Properties dialog box, on the
    Virtual Directory tab, click
    Configuration.
  4. In the Application Configuration dialog box, click the Mappings tab.
  5. If you have a mapping for the .htr extension that is mapped to C:\Windows\System32\Inetsrv\Asp.dll, skip the rest of the steps. If you do not have a mapping, click Add.
  6. In the Add/Edit Application Extension Mapping dialog box, type the following text in the
    Executable box:
    C:\Windows\System32\Inetsrv\ASP.DLL
  7. In the Extension box, type
    .HTR.
  8. Under Verbs, click to select the
    Limit to check box, and then type
    GET,POST in the box.
  9. Make sure that both the Script enginecheck box and the Verify that file exists check box are selected.
  10. Click OK two times to save the changes.

The user name is not populated

This behavior is a side effect of using Anonymous Authentication on the Iisadmpwd virtual directory. If the user name must be populated, disable Anonymous Authentication so access to this virtual directory can be authenticated. If you do this, the Password Change pages can obtain the authentication information.

The specified user name contains characters that are not valid

Make sure that the user name only contains characters that are valid. If this problem still occurs, upgrade to the latest script engine. This error occurs because problems occur when the script engine tries to perform a regular expression match of the user name against a set of characters that are not valid. To obtain the latest version of the scripting engine, visit the following Microsoft Web site: 

When you click OK, you are prompted to submit the Password Change credentials

This problem can occur if the client has not authenticated to IIS before the client submits the request. Typically, this problem occurs in OWA when the following conditions are true:
  • Basic Authentication is enabled on the Iisadmpwd virtual directory and on the Exchange virtual directory.
  • Exchange is using Owaauth.dll to control the logon to OWA.
When you are prompted for credentials, make sure that you enter the old password that you are trying to change. Enter the old password because you are still changing the password when you click OK. Only enter your new credentials after you receive the message that the password was successfully changed.

Server object ASP 0177 Class Factory could not supply requested class

After you apply IIS 5 SP4 on the IIS 5-based Web server, if you click Password Change, you receive the following error message:
Server object ASP 0177 Class Factory could not supply requested class. IISadmpwd/aexp2b.htr, line 61" IISadmpwd/aexp2b.htr, line 61 is Set objNet = Server.CreateObject("WScript.Network")
WScript is part of the Windows Script Components. To download the Windows Script Components, visit the following Microsoft Web site: If Windows Script Host is already installed, resolve this problem by registering %systemroot%\System32\Wshom.ocx.

References


For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
297121 Using the Change Password feature with Outlook Web Access

833734 FIX: You experience various problems when you use the Password Change pages in IIS 6.0

831047 FIX: You experience various problems when you use the Password Change pages in IIS 5.0

331834 Change password functionality replaced with Active Server Pages

271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server

812614 Default permissions and user rights for IIS 6.0