• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Cannot change password through ISA 2006 FBA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Cannot change password through ISA 2006 FBA Page: <<   < prev  1 2 [3] 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Cannot change password through ISA 2006 FBA - 25.Jul.2008 7:25:40 PM   
RodPayne

 

Posts: 4
Joined: 25.Jul.2008
Status: offline
With the help of all of the experience posted here thus far, I have reached the point where almost everything is working.  The last problem I have is that if "user must change password at next logon" is set, they are not prompted to reset the password when logging in using FBA.  Instead, they are returned to the logon page and have the message, "You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again."  Not much of a clue for the user.  I assume that the same thing will happen with a naturally expiring password (but it is harder to create a test case).

If they first select "I want to change my password after logging on", then they get the password change screen and they can change their expired password and log on. 

Since password changes work, even on expired accounts, it looks like everything is set up correctly for LDAPS, certificates, web listener, etc.

When someone attempts to log on using an expired password, is it supposed to go to the change password page and have them change it, or are they supposed to know (somehow) that it is expired and that they need to check the "I want to change my password after logging on"?

The former seems to be much more reasonable and usable, but I have only found two examples that suggest that it works that way:  http://support.microsoft.com/kb/945814/en-us in the middle says,  "-You enable the User must change password at next logon property in Active Directory.  -You specify an incorrect password on the initial logon page.  -Note: You are still directed to the Change Password page."  The "still" seems to say that a correct password in this condition would have been directed to the Change Password page.

The second is Figure 21 of  http://www.isaserver.org/tutorials/LDAP-Pre-authentication-ISA-2006-Firewalls-Part4.html.  It includes the text "Your password has expired and must be changed"  and it doesn't sound like "I want to change my password after logging on" was checked.  (In my case, when you get to this page, the text is blank between the two lines.)

I spent some time on the phone with Microsoft today, and they decided that we should close the case because ISA is working as designed and it is impossible for LDAP to determine the account status.  Telling the user that the password has expired would allow account harvesting attacks.

The expired password change stuff is on of the motivating factors in trying to move from ISA 2004 to ISA 2006.  Any ideas?

ISA Server 2006 Enterprise SP-1.
Windows Server 2003 SP-2.
ISA Server is a member of a "DMZ" domain that has a one-way trust of the User/Exchange Server domain.

(in reply to tshinder)
Post #: 41
RE: Cannot change password through ISA 2006 FBA - 28.Jul.2008 10:46:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Maybe the problem is related to the "trusting domain" configuration? In my article, the firewall was a member of the user domain.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RodPayne)
Post #: 42
RE: Cannot change password through ISA 2006 FBA - 28.Jul.2008 5:04:01 PM   
RodPayne

 

Posts: 4
Joined: 25.Jul.2008
Status: offline
I found a way around the problem...  I uninstalled ISA 2006 SP-1.  It is working perfectly without the service pack.

Hopefully Microsoft will now accept it as a problem (with the SP rather than how I installed it or wanted it to work).

(in reply to tshinder)
Post #: 43
RE: Cannot change password through ISA 2006 FBA - 29.Jul.2008 9:58:33 AM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
ISA 2006 SP1 did change this behavior for FBA using LDAP as the credentials authority.
As CSS said, this is to help guard against auth attacks.  If the attacker receives a "you must change your password" response, 1/2 the battle is won because he knows that the account is valid.
When ISA is allowed to participate as a domain member, it can useWindows calls to verify the account password status.
It's not possible for ISA to validate the account passsword status when using LDAP as a credentials authority and so only a valid logon is allowed to change a password.

..so yes; the answer is "by design" and folks have to "adjust" their articles and how-to's to reflect this change for SP1.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to RodPayne)
Post #: 44
RE: Cannot change password through ISA 2006 FBA - 29.Jul.2008 1:14:49 PM   
RodPayne

 

Posts: 4
Joined: 25.Jul.2008
Status: offline
I must be misunderstanding something, or you are not understanding me.  Is the following what you are saying?
1) ISA 2006 added a much needed optional feature to allow FBA to be set up to (a) remind the user when their password is about to expire, (b) prompt them when it has expired, and (c) let them change their password, either before or after it has expired.
2) It was discovered that ISA did not authenticate the password that the user supplied on the Login page before presenting the Change Password page, thus allowing an attacker to be able to discover a valid account without having the correct password, if it is expiring or expired.  (This is a bad thing.)
3) The coders could not find a way to authenticate the password before determining whether the password is about to expire or has expired.
4) The functionality of features in 1(a) and 1(b) was removed in SP-1 to prevent the bad thing from being possible.

Also, if this is the case, why wasn't the "Remind users that their password will expire" option removed from the web listener forms tab?  In what way are they reminded if the Change Password page isn't presented?

(in reply to Jim Harrison)
Post #: 45
RE: Cannot change password through ISA 2006 FBA - 30.Jul.2008 9:39:04 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rod,

The remind users feature still works if you domain join the firewall (and you bad boy, you should have done that for security reasons in the first place).

Joining the firewall do the domain will give you the functionality you desire, from what I understand.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RodPayne)
Post #: 46
RE: Cannot change password through ISA 2006 FBA - 30.Jul.2008 11:04:35 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No, you don't need to configure LDAP servers if ISA Server is a domain member to get the password change feature. However, even Active Directory will use LDAPS to talk to the Domain Controllers.

You will need SSL certificates on you domain controllers for the solution to work correctly though...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ThijsD)
Post #: 47
RE: Cannot change password through ISA 2006 FBA - 1.Aug.2008 8:46:27 AM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
Chaps.

My two pennies worth...

ISA 2006 STD (NOT SP1 yet)
Server 2003 SP1 STD
ISA is member of the AD domain.
OWA using FBA.

I followed Tom's article on getting this to work.  I found that i DID have to use LDAPS.  The password change plain did not work using Windows auth on the listener.  Perhaps that's changed with SP1, I can't comment yet as I have not upgraded.

Auto-enrolled the DCs and ISA with Computer certificates from our Enterprise CA.  Verified by checking Personal store under Computer account in Certificates snap-in on ISA and the DC.

Changed the FBA auth from Windows to LDAP.

Created LDAP server set which points to a single DC in the subnet connected directly to ISA's internal interface.

Entered the AD domain name.

Ticked the box for 'connect LDAP servers over secure connection'.

Plumbed in a domain user account for the user credentials.

Ticked the boxes to enable password management and reminder on the web listener.

It worked a treat, first time.

Only 'issues' I've had have been 'caused' by our domain password policy eg. minimum age and complexity as someone has already mentioned.  Basically all working as it should do, straight away.

Not tried SP1 yet so can't comment.

We set a pretty tight password policy so had to make sure remote users could change their password using OWA otherwise they would have to go to one of our sites every x weeks to change their password!!  ie. not going to work.

Once I grasped the concept that it had to use LDAPS, it was one of the few tasks I have done on my ISA that 'just worked' first time without tweaking and troubleshooting....

Good luck guys.

(in reply to Jason Jones)
Post #: 48
RE: Cannot change password through ISA 2006 FBA - 1.Aug.2008 9:16:49 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: davei0594

Chaps.

My two pennies worth...

ISA 2006 STD (NOT SP1 yet)
Server 2003 SP1 STD
ISA is member of the AD domain.
OWA using FBA.

I followed Tom's article on getting this to work.  I found that i DID have to use LDAPS.  The password change plain did not work using Windows auth on the listener.  Perhaps that's changed with SP1, I can't comment yet as I have not upgraded.

Auto-enrolled the DCs and ISA with Computer certificates from our Enterprise CA.  Verified by checking Personal store under Computer account in Certificates snap-in on ISA and the DC.

Changed the FBA auth from Windows to LDAP.

Created LDAP server set which points to a single DC in the subnet connected directly to ISA's internal interface.

Entered the AD domain name.

Ticked the box for 'connect LDAP servers over secure connection'.

Plumbed in a domain user account for the user credentials.

Ticked the boxes to enable password management and reminder on the web listener.

It worked a treat, first time.

Only 'issues' I've had have been 'caused' by our domain password policy eg. minimum age and complexity as someone has already mentioned.  Basically all working as it should do, straight away.

Not tried SP1 yet so can't comment.

We set a pretty tight password policy so had to make sure remote users could change their password using OWA otherwise they would have to go to one of our sites every x weeks to change their password!!  ie. not going to work.

Once I grasped the concept that it had to use LDAPS, it was one of the few tasks I have done on my ISA that 'just worked' first time without tweaking and troubleshooting....

Good luck guys.


Weird, only ever defined LDAP auth for non-domain joined ISAs. All other servers have been domain joined (pre-SP1) and it works just fine out of the box. My own production network is a good example...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to davei0594)
Post #: 49
RE: Cannot change password through ISA 2006 FBA - 4.Aug.2008 6:54:57 AM   
barryfl

 

Posts: 3
Joined: 4.Aug.2008
Status: offline
Had exactly the same problem with SP1. Spoke to Microsoft Tech who said that this was now a feature and after a chat with th product group there was nothing they could do for me. They closed the case so therefore I will never upgrade to SP1 unless they fix this.

I am rather disappointed with the outcome to say the least.

My story is here: http://bazmabuey.spaces.live.com/

Cheers

Barry

< Message edited by barryfl -- 4.Aug.2008 7:02:11 AM >

(in reply to Jason Jones)
Post #: 50
RE: Cannot change password through ISA 2006 FBA - 7.Aug.2008 3:08:19 PM   
RodPayne

 

Posts: 4
Joined: 25.Jul.2008
Status: offline
I am also dissapointed and can't believe that they would take this away.  I am going to shelf this until the ISA community has more experience with ISA 2006 SP-1 and, as Jim Harrison said, folks have adjusted their articles and how-to's to reflect the change.

The closing email on my Microsoft case said, "Unfortunately, the issue of not being redirected automatically to the change password screen is by design to prevent the account harvesting."  Maybe someone else can convince them that it is not a big security risk to notify the user about an expired or expiring password as long as the correct password is given first.  (At least it is not any bigger than directing the user to the application when a correct password is given.)  Someone may have been embarrased by having notifications work with an incorrect password and over-reacted.

(in reply to barryfl)
Post #: 51
RE: Cannot change password through ISA 2006 FBA - 8.Aug.2008 10:16:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rod,

That's an excellent point. If the user provides valid (but expired) credentails, and then is redirected, the risk for account harvesting is extremely low.

Maybe they will reconsider and add this functionality with a hotfix.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RodPayne)
Post #: 52
RE: Cannot change password through ISA 2006 FBA - 5.Sep.2008 3:01:48 PM   
jmakarius

 

Posts: 1
Joined: 5.Sep.2008
Status: offline
I have discovered that this perhaps should not be considered a security threat. If you have the change password option marked and then you enter ANY username/password combination (valid or invalid), it will always take you to the change password screen.

Maybe I have a setting wrong someplace but I would like others to test to verify.

I have entered gibberish for the username/password and I am re-directed to the password change screen. These users do not exist in my AD environment. The validation of the username looks to occur at the change password screen only. If I then try those invalid usernames the only thing displayed is that the credentials entered are not valid

It looks like you will be redirect to the change password screen regardless if you enter a valid or invalid username/password. If this is the case, then any malicious attack will not be able to discover valid usernames. What are your thoughts?

Also - Any word on a hotfix for SP1 so this functionality can return?

(in reply to tshinder)
Post #: 53
RE: Cannot change password through ISA 2006 FBA - 19.Nov.2008 5:51:19 AM   
barryfl

 

Posts: 3
Joined: 4.Aug.2008
Status: offline
I've just had an email from Microsoft informing me of a fix for this issue. Apparently after I logged it with them a lot of people logged the same thing which has prompted them to fix it.
I am just waiting to download the hotfix and apply it to our replication setup to see if it works.

Will keep you all posted.

Barry


(in reply to jmakarius)
Post #: 54
RE: Cannot change password through ISA 2006 FBA - 20.Nov.2008 9:57:44 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Barry,

Thanks! That would be great. This issue seemed like something that wasn't quite right with the firewall.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to barryfl)
Post #: 55
RE: Cannot change password through ISA 2006 FBA - 19.Dec.2008 7:24:49 AM   
barryfl

 

Posts: 3
Joined: 4.Aug.2008
Status: offline
Hi,

I just thought I would follow this posting up as Microsoft don't seem to have posted the KB to the public world.

I got sent two emails from Microsoft, one was:

KB 959357

Then I was sent a script that enabled the fix : 957859

You will have to contact Microsoft support for further info on this patch but I thought it might help anyone trying to get to speak to someone if they had the patch numbers that helped me resolve my issue.

Cheers,

Barry

(in reply to tshinder)
Post #: 56
RE: Cannot change password through ISA 2006 FBA - 24.Dec.2008 9:43:36 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Barry,

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to barryfl)
Post #: 57
RE: Cannot change password through ISA 2006 FBA - 16.Feb.2009 11:56:51 AM   
mattgroves

 

Posts: 4
Joined: 16.Feb.2009
Status: offline
Barry - the articles you reference can't be found on the MSFT site - could you post whatever MSFT sent you here?

<rant begins>

To say that I am livid at the moment is an understatement.
We are trying to configure ISA to honour the "force password change at next logon" (something it ought to do, and indeed used to do, OOTB). We have spent hours looking at every configuration item. Time wasted. I have had one of my guys on site all day wasting his time, and project time, because of this.

We have an ISA 2006 (std edition) server, this is publishing a SharePoint based web application that uses AD for authentication/authorisation. We have ISA FBA working against the DMZ AD using LDAPS, users can login and use the app (ISA delegating NTLM) without issue. We come to load some user accounts inot AD for UAT, and enable the "change password at next login" flag within AD, only to find this prevents users from authenticating. Great, we have delivered a secure app as no-one can get to it. Not even me.
The SOLE reason for using ISA in this scenario was to provide the password management functionality, for now all I need it for is to allow users (and force users) to change passwords - else we aren't offering anything over the existing solution that requires non-expiring passwords in AD.

WE have now removed SP1 and the config is working as it ought to - note: we haven't changed a single thing (not even opened the MMC), simply removed SP1.

This argument that showing an attacker that an account password has expired, and this is 50% of the battle, is (IMO) 100% flawed. You need to be authenticated before you can see this page. Therefore an attacker has won 100% of the battle as they have both U and P.

If it was the case that pre-SP1 an attacker would see the change password page without needing the password then this is a massive oversight and the ISA PG should be spanked for allowing a security product to ship with such a huge hole.

I regularly praise ISA and design it into solutions we do for clients and so am very disappointed with my findings today. I also speak at the SharePoint User Group (UK) sessions and did one last year where I extolled the benefits of ISA: http://www.sharepointblogs.com/media/p/12696.aspx

I am soooooooooooooooo annoyed.

I will be raising this with MSFT. Will post back here if I get anywhere.

</rant over>
(for now)

(in reply to barryfl)
Post #: 58
RE: Cannot change password through ISA 2006 FBA - 16.Feb.2009 12:46:39 PM   
mattgroves

 

Posts: 4
Joined: 16.Feb.2009
Status: offline
We have now proven that this is indeed the case! With the "password change at logon" flag set you can enter any password you like and will get the password change page, as long as the username is valid you're fine.
Shocking.

This text is interesting:
quote:

Note that if you are using forms-based authentication with LDAP authentication, ISA Server is not able to perform this action and cannot provide automatic redirection to the change password form. This is because the LDAP provider can't validate passwords.


Quoted from: http://technet.microsoft.com/en-us/library/cc514301.aspx

So, the question is then: what does the user account you give the "LDAP Server Set" [bottom of the form, where it states "user credentials used to access AD to verify user account status and change account passwords (optional)"] actually do??
If this isn't to allow status checks on user accounts/passwords then what does it do?? I see security events on the DC for it, so it's doing something (??).

MSFT are issuing me a non-public hotfix before 10AM tomorrow, we'll see how we do...

(in reply to mattgroves)
Post #: 59
RE: Cannot change password through ISA 2006 FBA - 17.Feb.2009 6:23:53 AM   
mattgroves

 

Posts: 4
Joined: 16.Feb.2009
Status: offline
A MSFT Escalation engineer responded this morning and issued hotfix 959357 (suitably caveated as below).

quote:


WARNING: This fix is not publicly available through the Microsoft website as it has not gone through full Microsoft regression testing.  If you would like confirmation that this fix is designed to address your specific problem, or if you would like to confirm whether there are any special compatibility or installation issues associated with this fix, you are encouraged to speak to a Support Professional in Product Support Services.


This installed without issue, after applying the fix (and rebooting) you need to run a script (this was also supplied by MSFT). Some text from the supporting documentation is supplied below:

SYMPTOMS
After you applied Microsoft Internet Security and Acceleration (ISA) Server Service Pack 1 (SP1), you may notice that the "change password" feature does not work as expected.

For example, in Active Directory settings, you enable the "User must change password at next logon" setting for a certain user account. However, when the user tries to log on by using forms-based authentication (FBA) with the "change password" feature enabled in ISA Server, the user is not automatically redirected to the form that is used to change password.

CAUSE
This problem occurs when FBA is used together with Lightweight Directory Access Protocol (LDAP). Starting from ISA Server 2006 SP1, the default behavior was changed when you use FBA together with LDAP. This change was made to help guard against authentication attacks.

For more information, visit the "Changes in Service Pack 1" section of the following Microsoft TechNet Web site:
Configuring and Troubleshooting the Password Change Feature in ISA Server 2006

RESOLUTION
To resolve this problem, follow these steps:
1.  Install the hotfix package that is described in the following Microsoft Knowledge Base article:
959357 Description of the ISA Server 2006 hotfix package: October 29, 2008
2.  Start Notepad and paste in the supplied VBS, save as EnableHotfix957859.vbs.
3. Run: Cscript EnableHotfix957859.vbs /webListener:ListnerName/Value:true
 
Interestingly the URL supplied for the hotfix doesn't work, maybe this is indeed intended for public release, but isn't there yet (??).

If anyone reading this thread experiences the same issue I suggest you contact MSFT through whatever support/PSS/TAM/PAM channels you have available and request the fix above (959357).

I still don't see why it can't work as I expect it to, and I still don't see what the account I made reference to in my earlier post is actually doing if it isn't used to validate accounts (as the text implies!).
quote:


So, the question is then: what does the user account you give the "LDAP Server Set" [bottom of the form, where it states "user credentials used to access AD to verify user account status and change account passwords (optional)"] actually do??
If this isn't to allow status checks on user accounts/passwords then what does it do?? I see security events on the DC for it, so it's doing something (??).


Anyway, my environment is working as I need it to (albeit with a potential vulnerability/exploit), so I'm happier than I was yesterday

(in reply to mattgroves)
Post #: 60

Page:   <<   < prev  1 2 [3] 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Cannot change password through ISA 2006 FBA Page: <<   < prev  1 2 [3] 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts