You are currently offline, waiting for your internet to reconnect

The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 or if you use Microsoft Threat Management Gateway 2010

SYMPTOMS
After you apply Microsoft Internet Security and Acceleration (ISA) Server Service Pack 1 (SP1) or if you use Microsoft Forefront Threat Management Gateway (TMG) 2010, you may notice that the "change password" feature does not work as expected. 

For example, in Active Directory settings, you enable the "User must change password at next logon" setting for a certain user account. However, when the user tries to log on by using forms-based authentication (FBA) when the "change password" feature is enabled in ISA Server or TMG Server, the user is not automatically redirected to the form that is used to change the password.
CAUSE
This problem occurs when FBA is used together with Lightweight Directory Access Protocol (LDAP). In ISA Server 2006 SP1, the default behavior was changed when you use FBA together with LDAP. This change was made to help guard against authentication attacks.

For more information, visit the "Changes in Service Pack 1" section of the following Microsoft TechNet Web site:
RESOLUTION
To resolve this problem, follow these steps:
  1. Install the hotfix package that is described in the following Microsoft Knowledge Base article:
    959357 Description of the ISA Server 2006 hotfix package: October 29, 2008
    Please note that the first step is not applicable for Microsoft Threat Management Gateway (TMG) Server. The hotfix is included in the product.
  2. Start Notepad.
  3. Paste the following script into the Notepad file.
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-'    This code is Copyright (c) 2007 Microsoft Corporation.  ''    All rights reserved.''    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A'    PARTICULAR PURPOSE.''    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE'    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE'    OF THIS CODE OR INFORMATION.'' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-If Not WScript.Arguments.Named.Exists("WebListener") Then    WScript.Echo "WebListener not defined"    WScript.Quit(1)End IfSet fpcRoot = CreateObject("FPC.Root")Set fpcArray = fpcRoot.GetContainingArray()Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))Set fpcWebListenerVps = fpcWebListener.VendorParametersSetsOn Error Resume NextSet fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")If Err.number = 0 Then    CookieAuthVpsExists = TrueElse    CookieAuthVpsExists = FalseEnd IfErr.ClearOn Error GoTo 0If Not CookieAuthVpsExists Then    WScript.Echo "Cookie auth VPS settings not defined, hotfix 957859 disabled"Else    On Error Resume Next    WScript.Echo "EnableLDAPPasswordExpiration: " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)End IfIf WScript.Arguments.Named.Exists("Value") Then    If Not CookieAuthVpsExists Then        Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")    End If    fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)    fpcArray.Save    WScript.Echo "EnableLDAPPasswordExpiration set to " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)End If 
  4. Save this Notepad file by using the .vbs file name extension. For example, use the following name to save this file:
    EnableHotfix957859.vbs
  5. Open a command prompt, move to the location where you saved the EnableHotfix957859.vbs file, and then type the following command:
    Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:true
    Note In this command, replace <listener name> with the actual name of the Web listener.
Important: If you want to remove hotfix 959357, open a command prompt, browse to the location where you saved the EnableHotfix957859.vbs file, and then type the following command: 

Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:false

Note In this command, replace <listener name> with the actual name of the Web listener.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
REFERENCES
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Properties

Article ID: 957859 - Last Review: 06/02/2011 11:01:00 - Revision: 4.0

  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • kbexpertiseinter kbfix kbsurveynew kbqfe KB957859
Feedback