Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Consider the following scenario:

  • An administrator has forms-based authentication (FBA) set up in Microsoft Forefront Threat Management Gateway (TMG) 2010.

  • The distinguished name (DN) attribute for a user contains a forward slash (/) and an Active Directory Lightweight Directory Access Protocol (LDAP)-defined special character.

  • The user tries to change his or her password.

In this scenario, the password change is unsuccessful, and the user receives the following generic error message:

Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.

Additionally, tracing in TMG 2010 may indicate that ADsOpenObject failed with 0x80005000 (E_ADS_BAD_PATHNAME) or 0x80072032 (ERROR_DS_INVALID_DN_SYNTAX) because the special character in the LDAP request escaped.


This problem occurs for any Active Directory user account for which the DN attribute contains an Active Directory special character and a forward slash character. 


To resolve this problem, install Rollup 4 for Forefront Threat Management Gateway 2010 Service Pack 2.

After you apply this update, you can configure Threat Management Gateway to use the objectGUID attribute instead of the DistinguishedName attribute in Active Directory LDAP path to resolve the issue that is described in this article. To enable this functionality, follow these steps:

  1. Copy and paste the following script into Notepad, and then save it by using the "EnableKB2888619.vbs" file name:

    set curArray = CreateObject("FPC.Root").GetContainingArray()
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"
    Const SE_VPS_NAME = "UseObjectGUIDInLDAPADsPath"
    Const SE_VPS_VALUE = 1

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Obtain references to the array object
    ' and the network rules collection.
    Set array = curArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    If VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    VendorSets.Save false, true

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    End If

    End Sub


  2. Run the script on one of the Threat Management Gateway array members. The script change will take effect when the Threat Management Gateway configuration synchronizes. No Firewall service restart is necessary for the change to take effect.

  3. To revert the change and return to the original behavior, locate the following line in the script:

    Const SE_VPS_VALUE = 1

  4. Change that line as follows:

    Const SE_VPS_VALUE = 0

  5. Save the script, and then run the script on one of the array members.


To work around this problem, remove the forward slash or the Active Directory special character from the DN attribute of the user.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Escaped special characters in Active Directory attributes are as follows:

  • Comma (,)

  • Backslash (\)

  • Number sign (#)

  • Plus sign (+)

  • Less than sign (<)

  • Greater than sign ( )

  • Semicolon (;)

  • Quotation mark (")

  • Equal sign (=)

  • Leading or trailing spaces

Example of user account attributes:

sAMAccountName: JeffSmith
displayName: Smith, Jeff / TMG
distinguishedName: CN=Smith\, Jeff / TMG,OU=Support,DC=Fabrikam,DC=com


  • The backslash escape character (\) is automatically added to the DN.

  • The distinguishedName attribute for this user account contains both the Active Directory special character comma (,) and the forward slash (/).


For more information, see the following:

See the terminology Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!