Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 or if you use Microsoft Threat Management Gateway 2010

The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 or if you use Microsoft Threat Management Gateway 2010

View products that this article applies to.

Symptoms

After you apply Microsoft Internet Security and Acceleration (ISA) Server Service Pack 1 (SP1) or if you use Microsoft Forefront Threat Management Gateway (TMG) 2010, you may notice that the "change password" feature does not work as expected. 

For example, in Active Directory settings, you enable the "User must change password at next logon" setting for a certain user account. However, when the user tries to log on by using forms-based authentication (FBA) when the "change password" feature is enabled in ISA Server or TMG Server, the user is not automatically redirected to the form that is used to change the password.

↑ Back to the top

Cause

This problem occurs when FBA is used together with Lightweight Directory Access Protocol (LDAP). In ISA Server 2006 SP1, the default behavior was changed when you use FBA together with LDAP. This change was made to help guard against authentication attacks.

For more information, visit the "Changes in Service Pack 1" section of the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc514301.aspx

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Install the hotfix package that is described in the following Microsoft Knowledge Base article:
    959357 Description of the ISA Server 2006 hotfix package: October 29, 2008

    Please note that the first step is not applicable for Microsoft Threat Management Gateway (TMG) Server. The hotfix is included in the product.
  2. Start Notepad.
  3. Paste the following script into the Notepad file.
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

    '    This code is Copyright (c) 2007 Microsoft Corporation.  
    '
    '    All rights reserved.
    '
    '    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
    '    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
    '    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
    '    PARTICULAR PURPOSE.
    '
    '    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
    '    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
    '    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
    '    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
    '    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
    '    OF THIS CODE OR INFORMATION.
    '
    ' -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

    If Not WScript.Arguments.Named.Exists("WebListener") Then
        WScript.Echo "WebListener not defined"
        WScript.Quit(1)
    End If

    Set fpcRoot = CreateObject("FPC.Root")
    Set fpcArray = fpcRoot.GetContainingArray()
    Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))
    Set fpcWebListenerVps = fpcWebListener.VendorParametersSets

    On Error Resume Next
    Set fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
    If Err.number = 0 Then
        CookieAuthVpsExists = True
    Else
        CookieAuthVpsExists = False
    End If
    Err.Clear
    On Error GoTo 0

    If Not CookieAuthVpsExists Then
        WScript.Echo "Cookie auth VPS settings not defined, hotfix 957859 disabled"
    Else
        On Error Resume Next
        WScript.Echo "EnableLDAPPasswordExpiration: " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
    End If

    If WScript.Arguments.Named.Exists("Value") Then
        If Not CookieAuthVpsExists Then
            Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
        End If
        fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)
        fpcArray.Save
        WScript.Echo "EnableLDAPPasswordExpiration set to " & (fpcCookieAuthVps.Value("EnableLDAPPasswordExpiration") = True)
    End If
  4. Save this Notepad file by using the .vbs file name extension. For example, use the following name to save this file:
    EnableHotfix957859.vbs
  5. Open a command prompt, move to the location where you saved the EnableHotfix957859.vbs file, and then type the following command:
    Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:true
    Note In this command, replace <listener name> with the actual name of the Web listener.
Important: If you want to remove hotfix 959357, open a command prompt, browse to the location where you saved the EnableHotfix957859.vbs file, and then type the following command: 

Cscript EnableHotfix957859.vbs /webListener:<listener name> /Value:false

Note In this command, replace <listener name> with the actual name of the Web listener.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbexpertiseinter, kbfix, kbsurveynew, kbqfe, kb

↑ Back to the top

Article Info
Article ID : 957859
Revision : 2
Created on : 9/19/2018
Published on : 9/19/2018
Exists online : False
Views : 202