Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: Users in remote forests cannot change their passwords through ISA Server 2006 or Forefront Threat Management Gateway 2010

FIX: Users in remote forests cannot change their passwords through ISA Server 2006 or Forefront Threat Management Gateway 2010

View products that this article applies to.

Symptoms

Note These issues also apply to Microsoft Forefront Threat Management Gateway 2010.

Issue 1:

Consider the following scenario:
  • You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.
  • You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.
  • The listener is configured to let users change their passwords.
  • You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains
  • The account for the user who tries to log on is located in a domain in a remote trusted forest.
In this scenario, users cannot log on if their password is expired or if the account is set to User must change password at next logon. Error 1907 (ERROR_PASSWORD_MUST_CHANGE) is logged in the web proxy log.

Issue 2:

Consider the following scenario:
  • You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.
  • You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.
  • The listener is configured to let users change passwords.
  • You have a web publishing rule that uses this listener to publish a website.
  • You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains
  • The connection that ISA Server 2006 opened to the global catalog server was unexpectedly closed, for example, by a firewall between the two servers.
  • The user who is logging on has specified the user name in an NT4/SAM-based naming format.
  • The new password that is specified by the user meets complexity requirements.
In this scenario, users from all domains cannot change their passwords. When they try to change a password, they receive the following error message:
Either the user name or old password is not valid, or the new password does not meet the minimum complexity requirements. Please try again.
If the user specifies a user name that uses a UPN format, the user can change the password. If the ISA Server 2006 Firewall Service is restarted, users might also be able to change a password until the connection to the global catalog server is broken again.

↑ Back to the top

Cause

Issue 1:

This issue occurs when the user is not redirected to the password change page because ISA Server 2006 does not check the account status for accounts in the remote forests. Therefore, it tries to use the credentials that the user provided to log on the user. The password is no longer valid. Therefore, the attempt fails, and error 1907 (ERROR_PASSWORD_MUST_CHANGE) is returned.

Issue 2:

This issue occurs when the handle for sending messages to the global catalog server is reused. When the handle fails, this prevents ISA Server 2006 from checking the user account status.

↑ Back to the top

Resolution

Microsoft Internet Security and Acceleration (ISA) 2006

To resolve this problem, install the ISA Server 2006 hotfix rollup package that is described in the following Microsoft Knowledge Base article:
2616326 Description of the ISA Server 2006 hotfix package: September 2011

Microsoft Forefront Threat Management Gateway 2010

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2555840 Microsoft Forefront Threat Management Gateway 2010 Service Pack 2

How to enable this fix

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.


To enable this fix for ISA Server 2006 or for Forefront Threat Management Gateway 2010, run the EnableMultipleFlatUserName.vbs script to enable the functionality that is provided by this fix. To do this, follow these steps:
  1. Click Start, click Run, type notepad, and then click OK.
  2. Copy the following script into a Notepad file, and then save the text file as a Microsoft Visual Basic file by using the .vbs file name extension.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableMultipleFlatUserName"
    Const SE_VPS_VALUE = true

    Sub SetValue()

        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")

        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object

        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets

        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )

        If Err.Number <> 0 Then
            Err.Clear

            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name

        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If

        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError

                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If

    End Sub

    Sub CheckError()

        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If

    End Sub

    SetValue
  3. Save the file to a temporary folder. For example, save the file as EnableMultipleFlatUserName.vbs to the C:\EnableMultipleFlatUserName folder.
  4. At a command prompt, go to the location in which you saved the .vbs file in step 3, and then run the .vbs file. For example, run the following commands:
    cd C:\EnableMultipleFlatUserName
    cscript EnableMultipleFlatUserName.vbs
Note You must restart the ISA Server-related services or the Forefront Threat Management Gateway server-related services after you enable this fix.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbqfe, kbhotfixserver, kbfix, kbhotfixrollup, kbpasswords, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 2618727
Revision : 3
Created on : 11/15/2018
Published on : 11/16/2018
Exists online : False
Views : 251