• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Cannot change password through ISA 2006 FBA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Cannot change password through ISA 2006 FBA Page: <<   < prev  1 [2] 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Cannot change password through ISA 2006 FBA - 26.Jun.2007 11:05:57 AM   
espsgroup

 

Posts: 16
Joined: 11.May2007
Status: offline
I'm still stuck as well and any tips or pointers would be most appreciated. I really can't spend another $245 with MS support this month. I've already done that twice. :-)

Jeff

(in reply to ThijsD)
Post #: 21
RE: Cannot change password through ISA 2006 FBA - 27.Jun.2007 12:35:28 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Haven't check yet, but will soon.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ThijsD)
Post #: 22
RE: Cannot change password through ISA 2006 FBA - 3.Jul.2007 10:39:47 AM   
paulm187

 

Posts: 20
Joined: 21.Jun.2007
Status: offline
quote:

ORIGINAL: ThijsD

Hi Tom

Have you already had the time to check if LDAP over SSL is really necessary for the password management option to work, even if the ISA server is a domain member?

I have an ISA 2006 that is a domain member and I can't seem to get the password change to work succesfully... (I don't have LDAP over SSL configured)

Thank you
Best regards




Have you found an answer to this? Every where else it seems to suggest you need LDAPS for this to work even if your ISA server is a domain member. I find this hard to believe.

< Message edited by paulm187 -- 3.Jul.2007 10:40:48 AM >

(in reply to ThijsD)
Post #: 23
RE: Cannot change password through ISA 2006 FBA - 3.Jul.2007 12:31:27 PM   
nando

 

Posts: 1
Joined: 3.Jul.2007
Status: offline
I had exactly the same problem:

- I could change a new user's password through FBA if it had the "change password on next logon" feature enabled.
- When trying to change it again got the "password must meet complexity requirements"  error message, even with the gp "complexity requirements" feature disabled on active directory.

Found out that the default domain policy had the "minimum password age" set to one day. Because of this neither users or I could change their passwords more than once using FBA.

I am using ISA2006 domain member with FBA form using integrated authentication.

(in reply to tshinder)
Post #: 24
RE: Cannot change password through ISA 2006 FBA - 3.Jul.2007 12:38:43 PM   
espsgroup

 

Posts: 16
Joined: 11.May2007
Status: offline
I just went into OWA to change a password and got this:

Error number: -2147024891


Eesh.

(in reply to nando)
Post #: 25
RE: Cannot change password through ISA 2006 FBA - 4.Jul.2007 11:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: nando

I had exactly the same problem:

- I could change a new user's password through FBA if it had the "change password on next logon" feature enabled.
- When trying to change it again got the "password must meet complexity requirements"  error message, even with the gp "complexity requirements" feature disabled on active directory.

Found out that the default domain policy had the "minimum password age" set to one day. Because of this neither users or I could change their passwords more than once using FBA.

I am using ISA2006 domain member with FBA form using integrated authentication.


Good find!
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to nando)
Post #: 26
RE: Cannot change password through ISA 2006 FBA - 16.Jul.2007 10:33:53 AM   
ThijsD

 

Posts: 21
Joined: 31.Aug.2005
Status: offline
Hi all

Has it been confirmed yet that you need LDAPS for the password change to work?
Tom, any updates you would like to share with us?:)

Thanks,
Thijs

(in reply to tshinder)
Post #: 27
RE: Cannot change password through ISA 2006 FBA - 16.Jul.2007 10:40:44 AM   
espsgroup

 

Posts: 16
Joined: 11.May2007
Status: offline
Yeah, my problem is definitely not a minimum change time thing.

Jeff

(in reply to ThijsD)
Post #: 28
RE: Cannot change password through ISA 2006 FBA - 19.Jul.2007 11:45:21 AM   
glhs

 

Posts: 17
Joined: 17.Jan.2006
Status: offline
quote:

ORIGINAL: paulm187
Have you found an answer to this? Every where else it seems to suggest you need LDAPS for this to work even if your ISA server is a domain member. I find this hard to believe.


Correct me if I'm wrong but why would you use the LDAP/S authentication method to AD if the ISA is in the domain?  Wouldn't you just use the Windows Authentication method.  I thought the LDAP/S methods were for if the authentication source was non-AD or the ISA server was not in the domain.

To respond also to a previous post in this thread, yes, after switching from ldap to ldaps I have experienced significantly longer authentication times (90 secs!),  actually to the point where we switched to radius and abandoned the password change feature for the time being.   I've had a case open with Microsoft for over a month and they haven't been able to figure out why the LDAPS takes so long so even if you spend the $$ to call MS you may not come up with any answer.

(in reply to paulm187)
Post #: 29
RE: Cannot change password through ISA 2006 FBA - 2.Aug.2007 1:47:19 AM   
grudlmax

 

Posts: 1
Joined: 2.Aug.2007
Status: offline
Message deleted!!

< Message edited by grudlmax -- 2.Aug.2007 7:23:40 AM >

(in reply to espsgroup)
Post #: 30
RE: Cannot change password through ISA 2006 FBA - 30.Nov.2007 2:09:55 PM   
terminic

 

Posts: 6
Joined: 20.Aug.2007
Status: offline
We are having this problem as well.  I would be really interested to find out if someone has this working without having to use LDAPS.  It looks like this thread is dead though.

(in reply to grudlmax)
Post #: 31
RE: Cannot change password through ISA 2006 FBA - 2.Dec.2007 1:56:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
From what I'm told by MS, you don't have to enable LDAP authentication, but you still need to support LDAPS. Which means that  that the server certificate needs to be on the DC and the ISA Firewall needs to trust that certificate by having the appropriate CA certificate installed in its Trusted Root Certification Authorities certificate store.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to terminic)
Post #: 32
RE: Cannot change password through ISA 2006 FBA - 2.Dec.2007 2:41:32 PM   
terminic

 

Posts: 6
Joined: 20.Aug.2007
Status: offline
Glad to hear that.  Will give it a try.  Thanks Tom.

Chris Termini

(in reply to tshinder)
Post #: 33
RE: Cannot change password through ISA 2006 FBA - 28.Jan.2008 10:30:44 AM   
jayel

 

Posts: 7
Joined: 28.Jan.2008
Status: offline
Thomas,

We're having also problems with the change password feature in ISA FBA

ISA server 2006 is in workgroup, LDAPS authentication is working with
username
password

but the only way that password change will not give error 500 is when you type domain\username
password

Logon works fine without domainname, also in de LDAP set the domain\* and *@domain are configured.

any ideas?

thanks

Jayel

(in reply to tshinder)
Post #: 34
RE: Cannot change password through ISA 2006 FBA - 28.Jan.2008 10:50:53 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hmmm. Interesting. I've only tried changing names when it was set for domain\username. Will have to check about the other options.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jayel)
Post #: 35
RE: Cannot change password through ISA 2006 FBA - 29.Jan.2008 3:58:40 AM   
jayel

 

Posts: 7
Joined: 28.Jan.2008
Status: offline
Okay.. Thanks
I'll await your answer :)

same situation when using active directory for authentication instead of ldaps..

regards,
Jayel

(in reply to tshinder)
Post #: 36
RE: Cannot change password through ISA 2006 FBA - 24.Jun.2008 11:19:28 AM   
bjblackmore

 

Posts: 103
Joined: 9.Aug.2005
Status: offline
Is there any update to this thread? I'm receiving the 'The password supplied does not meet the minimum complexity requirements'. I am using ISA 2006, with a single Exchange 2003 standard server. OWA has been setup and works for 2 years, we recently setup Outlook Anywhere (RPC over HTTPS), ISA server is a domain member. People have complained about password change problems through OWA a few times in the past, but we've always put it down to user error and did a manual reset. However today during some testing we've found this is actually a real problem.
 
When users passwords expire and they try to change them, no matter what new password is entered they receive the 'The password supplied does not meet the minimum complexity requirements' error. If I set the users account to require a password change at next logon, they can change the password through OWA with out receiving this issue, this only affects expired passwords.
 
I have performed most of the steps listed in this post, and others.
  • I have set the default domain policies 'minimum password age' to '0', and run a gpupdate, as listed in kb827614.
  • I have changed the 'PasswordChangeFlags' in IIS6 from 6 to 0.
  • And I have created an Iisadmpwd virtual directory in the OWA web site, as suggested in http://smtp25.blogspot.com/2008/02/owa-change-password-future-in-exchange_5060.html and added this path to the ISA OWA rule.
  • I have set the listener to authenticate using both LDAPS & Windows Active Directory, neither worked.

Is there anything else I should try?
 
Many thanks
 
Ben

(in reply to jayel)
Post #: 37
RE: Cannot change password through ISA 2006 FBA - 24.Jun.2008 5:35:31 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: nkuchman

ISA 2006 Standard / Domain member / LDAPS enabled to allow password.  Before enabling LDAP authentication forms logon was fast(half second) after enabling LDAPS authentication same form logon take 15 seconds. Does this sound like a configuration problem or is this normal?


Managed to fix this issue after seeing it several times with customers, have a look here

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to nkuchman)
Post #: 38
RE: Cannot change password through ISA 2006 FBA - 2.Jul.2008 2:47:14 PM   
hirschb

 

Posts: 1
Joined: 2.Jul.2008
Status: offline
I too was having this same issue with the change password feature. My ISA server is a domain member. I found out that my DCs were getting errors autoenrolling for a certificate to my internal Windows 2003 CA. Thus LDAPS was not working. I found the article below, that helped fix the certificate auto-enroll issue. Once my DCs recieved the certificate the change password feature began to work. I just wanted to throw this out there for any one else that may still be suffering from this issue, and followed everyones excellent advise.

MS Article:
http://support.microsoft.com/kb/903220/en-us


(in reply to tshinder)
Post #: 39
RE: Cannot change password through ISA 2006 FBA - 3.Jul.2008 8:01:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Hirsh,

Thanks! Great info.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hirschb)
Post #: 40

Page:   <<   < prev  1 [2] 3 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Cannot change password through ISA 2006 FBA Page: <<   < prev  1 [2] 3 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts