I use FBA of ISA 2006 with the password-change option. It ususally works quite fine, but it seems that there are problems with users with expired passwords. They always get the message that the new one doesn't match the complexity requirements. I've checked this, but the new passwords should meet our (changed) requirements.
it never worked (as far as I know) after the password had expired. Before it works great, but when it already expired I always get this odd message. It's a real problem as we get more and more calls from users...
This would work if OWA was the primary mode, but let's face it: with Outlook over the Internet, OWA is for airport kiosks. Outlook doesn't inform the user that their password is going to expire (Windows does) and Outlook, when using RPC over HTTP doesn't give them the ability to change their password (as they can when connected directly to the LAN and probably VPN).
So you will end up with users whose passwords have expired and then can't use OWA to change it, because FBA on ISA doesn't let them in the same way as FBA on the Exchange server.
There has to be a work around other than ISA 2006!