Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. An incorrect domain password policy may be used if Active Directory integrated authentication is configured in Forefront Unified Access Gateway 2010

An incorrect domain password policy may be used if Active Directory integrated authentication is configured in Forefront Unified Access Gateway 2010

View products that this article applies to.

Symptoms

You have Microsoft Forefront Unified Access Gateway (UAG) 2010 configured to enable users to change their passwords and to prompt those users to change their passwords before their passwords expire. If Active Directory integrated authentication is configured on the Forefront UAG authentication repository, an incorrect domain password policy may be used. This problem can result in the following:
  • Too frequent password change prompts
  • Password change prompts not being made when they are necessary

↑ Back to the top

Cause

This problem occurs when Active Directory integrated authentication is configured on an authentication server or repository. In this case, Forefront UAG uses global catalog servers to authenticate users and determine user information such as password expiration.

The global catalog server discovery is not related to the Forefront UAG server domain and is instead based on Site and Forest global catalog placement as determined by round-robin Domain Name System (DNS) ordering.

When Forefront UAG requests the password expiration for a user from a global catalog server, the global catalog server uses the domain password policy from its own domain when it makes this calculation instead of the password policy from the user domain. By design, this is the default Windows behavior and could result in an incorrect password expiration being returned to Forefront UAG. This behavior depends on the password policies that are used and the domain of the user and global catalog server that is being used.

↑ Back to the top

Resolution

To resolve this problem, install Service Pack 4 for Microsoft Forefront Unified Access Gateway 2010.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

After Service Pack 4 is installed, the global catalog servers will query a domain controller from the users' domain to determine password expiration. This change makes sure that the correct domain password policy is used for the password expiration calculations.

↑ Back to the top

References

See the terminology Microsoft uses to describe software updates.

↑ Back to the top

Keywords: kbnotautohotfix, kbqfe, kbfix, kbexpertiseinter, kbsurveynew, kbbug, kb

↑ Back to the top

Article Info
Article ID : 2910517
Revision : 1
Created on : 1/7/2017
Published on : 11/27/2013
Exists online : False
Views : 233