FIX: A password change is unsuccessful if a user's DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront Threat Management Gateway 2010

Symptoms

Consider the following scenario:

• An administrator has forms-based authentication (FBA) set up in Microsoft Forefront Threat Management Gateway (TMG) 2010.

• The distinguished name (DN) attribute for a user contains a forward slash (/) and an Active Directory Lightweight Directory Access Protocol (LDAP)-defined special character.

• The user tries to change his or her password.

In this scenario, the password change is unsuccessful, and the user receives the following generic error message:

Additionally, tracing in TMG 2010 may indicate that ADsOpenObject failed with 0x80005000 (E_ADS_BAD_PATHNAME) or 0x80072032 (ERROR_DS_INVALID_DN_SYNTAX) because the special character in the LDAP request escaped.

Cause

This problem occurs for any Active Directory user account for which the DN attribute contains an Active Directory special character and a forward slash character. 

Resolution

To resolve this problem, install Rollup 4 for Forefront Threat Management Gateway 2010 Service Pack 2.

After you apply this update, you can configure Threat Management Gateway to use the objectGUID attribute instead of the DistinguishedName attribute in Active Directory LDAP path to resolve the issue that is described in this article. To enable this functionality, follow these steps:

1. Copy and paste the following script into Notepad, and then save it by using the "EnableKB2888619.vbs" file name:
   
   

   set curArray = CreateObject("FPC.Root").GetContainingArray()
   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"
   Const SE_VPS_NAME = "UseObjectGUIDInLDAPADsPath"
   Const SE_VPS_VALUE = 1
   
   Sub SetValue()
   
   ' Create the root obect.
   Dim root ' The FPCLib.FPC root object
   Set root = CreateObject("FPC.Root")
   
   'Declare the other objects needed.
   Dim array ' An FPCArray object
   Dim VendorSets ' An FPCVendorParametersSets collection
   Dim VendorSet ' An FPCVendorParametersSet object
   
   ' Obtain references to the array object
   ' and the network rules collection.
   Set array = curArray 
   Set VendorSets = array.VendorParametersSets
   
   On Error Resume Next
   Set VendorSet = VendorSets.Item( SE_VPS_GUID )
   
   If Err.Number <> 0 Then
   Err.Clear
   
   ' Add the item
   Set VendorSet = VendorSets.Add( SE_VPS_GUID )
   CheckError
   WScript.Echo "New VendorSet added... " & VendorSet.Name
   
   Else
   WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
   End If
   
   If VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
   
   Err.Clear
   VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
   
   If Err.Number <> 0 Then
   CheckError
   Else
   VendorSets.Save false, true
   CheckError
   
   If Err.Number = 0 Then
   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
   End If
   End If
   Else
   WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
   End If
   
   End Sub
   
   Sub CheckError()
   
   If Err.Number <> 0 Then
   WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
   Err.Clear
   End If
   
   End Sub
   
   SetValue

   
   

2. Run the script on one of the Threat Management Gateway array members. The script change will take effect when the Threat Management Gateway configuration synchronizes. No Firewall service restart is necessary for the change to take effect.

3. To revert the change and return to the original behavior, locate the following line in the script:
   
   

   Const SE_VPS_VALUE = 1
   

4. Change that line as follows:
   
   

   Const SE_VPS_VALUE = 0
   

5. Save the script, and then run the script on one of the array members.

Workaround

To work around this problem, remove the forward slash or the Active Directory special character from the DN attribute of the user.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Escaped special characters in Active Directory attributes are as follows:

• Comma (,)

• Backslash (\)

• Number sign (#)

• Plus sign (+)

• Less than sign (<)

• Greater than sign ( )

• Semicolon (;)

• Quotation mark (")

• Equal sign (=)

• Leading or trailing spaces

Example of user account attributes:

sAMAccountName: JeffSmith
displayName: Smith, Jeff / TMG
distinguishedName: CN=Smith\, Jeff / TMG,OU=Support,DC=Fabrikam,DC=com

Notes

• The backslash escape character (\) is automatically added to the DN.

• The distinguishedName attribute for this user account contains both the Active Directory special character comma (,) and the forward slash (/).

References

For more information, see the following:

• Distinguished Names

• Active Directory: LDAP Syntax Filters

• How Active Directory Searches Work

See the terminology Microsoft uses to describe software updates.