FIX: Users in remote forests cannot change their passwords through ISA Server 2006 or Forefront Threat Management Gateway 2010

Issue 1:

Consider the following scenario:

• You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.

• You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.

• The listener is configured to let users change their passwords.

• You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains

• The account for the user who tries to log on is located in a domain in a remote trusted forest.

In this scenario, users cannot log on if their password is expired or if the account is set to User must change password at next logon. Error 1907 (ERROR_PASSWORD_MUST_CHANGE) is logged in the web proxy log.

Issue 2:

Consider the following scenario:

• You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.

• You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.

• The listener is configured to let users change passwords.

• You have a web publishing rule that uses this listener to publish a website.

• You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains

• The connection that ISA Server 2006 opened to the global catalog server was unexpectedly closed, for example, by a firewall between the two servers.

• The user who is logging on has specified the user name in an NT4/SAM-based naming format.

• The new password that is specified by the user meets complexity requirements.

In this scenario, users from all domains cannot change their passwords. When they try to change a password, they receive the following error message:

If the user specifies a user name that uses a UPN format, the user can change the password. If the ISA Server 2006 Firewall Service is restarted, users might also be able to change a password until the connection to the global catalog server is broken again.

Issue 1:

This issue occurs when the user is not redirected to the password change page because ISA Server 2006 does not check the account status for accounts in the remote forests. Therefore, it tries to use the credentials that the user provided to log on the user. The password is no longer valid. Therefore, the attempt fails, and error 1907 (ERROR_PASSWORD_MUST_CHANGE) is returned.

Issue 2:

This issue occurs when the handle for sending messages to the global catalog server is reused. When the handle fails, this prevents ISA Server 2006 from checking the user account status.

Microsoft Internet Security and Acceleration (ISA) 2006

To resolve this problem, install the ISA Server 2006 hotfix rollup package that is described in the following Microsoft Knowledge Base article:

2616326 Description of the ISA Server 2006 hotfix package: September 2011

Microsoft Forefront Threat Management Gateway 2010

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Microsoft Forefront Threat Management Gateway 2010 Service Pack 2

How to enable this fix

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.


To enable this fix for ISA Server 2006 or for Forefront Threat Management Gateway 2010, run the EnableMultipleFlatUserName.vbs script to enable the functionality that is provided by this fix. To do this, follow these steps:

1. Click Start, click Run, type notepad, and then click OK.

2. Copy the following script into a Notepad file, and then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension.

   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
   Const SE_VPS_NAME = "EnableMultipleFlatUserName"
   Const SE_VPS_VALUE = true
   
   Sub SetValue()
   
       ' Create the root obect.
       Dim root  ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
   
       'Declare the other objects needed.
       Dim array       ' An FPCArray object
       Dim VendorSets  ' An FPCVendorParametersSets collection
       Dim VendorSet   ' An FPCVendorParametersSet object
   
       ' Get references to the array object
       ' and the network rules collection.
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
   
       On Error Resume Next
       Set VendorSet = VendorSets.Item( SE_VPS_GUID )
   
       If Err.Number <> 0 Then
           Err.Clear
   
           ' Add the item
           Set VendorSet = VendorSets.Add( SE_VPS_GUID )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
   
       Else
           WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
       End If
   
       if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
   
           Err.Clear
           VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
   
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
   
               If Err.Number = 0 Then
                   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
               End If
           End If
       Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
       End If
   
   End Sub
   
   Sub CheckError()
   
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   
   End Sub
   
   SetValue
   

3. Save the file to a temporary folder. For example, save the file as EnableMultipleFlatUserName.vbs to the C:\EnableMultipleFlatUserName folder.

4. At a command prompt, go to the location in which you saved the .vbs file in step 3, and then run the .vbs file. For example, run the following commands:

   cd C:\EnableMultipleFlatUserName
   cscript EnableMultipleFlatUserName.vbs

Note You must restart the ISA Server-related services or the Forefront Threat Management Gateway server-related services after you enable this fix.