• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Cannot change password through ISA 2006 FBA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Cannot change password through ISA 2006 FBA Page: <<   < prev  1 2 3 [4]
Login
Message << Older Topic   Newer Topic >>
RE: Cannot change password through ISA 2006 FBA - 18.Feb.2009 9:11:26 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Barry,

I think we all understand your frustration! The change came as a surprise to me when we first discovered it a while ago.

Thank you very much for taking your valuable time to share what you went through, all the way up to your conclusion and final fix. This is great information and everyone here at ISAserver.org appreciates your efforts!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mattgroves)
Post #: 61
RE: Cannot change password through ISA 2006 FBA - 18.Feb.2009 9:36:59 AM   
mattgroves

 

Posts: 4
Joined: 16.Feb.2009
Status: offline
Tom,

It's always useful to feed back when something is fixed, I'm sure I'm not alone in finding lots of forum/usenet threads that end abruptly where you were expecting to find a solution at the end!

Do you happen to know what the account specified in "LDAP Server Set" [bottom of the form, where it states "user credentials used to access AD to verify user account status and change account passwords (optional)"] actually does?

If it doesn't valid account status I can't see any purpose for it...

(in reply to tshinder)
Post #: 62
RE: Cannot change password through ISA 2006 FBA - 20.Feb.2009 9:57:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
From what I understand, that provides capabilities that are unavailable to anonymous requests. I know that's a pretty weak explanation, but that's about all I know.

You're right about threads that drop off without conclusion. That's why I'm so appreciative to folks like you who come up to the plate to complete the story.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mattgroves)
Post #: 63
RE: Cannot change password through ISA 2006 FBA - 24.Feb.2009 12:32:43 PM   
sjgardner

 

Posts: 1
Joined: 24.Feb.2009
Status: offline
Many thanks for posting, this was very useful in identifying the issue.

Microsoft now have a KB article up describing the issue and providing the code for the vbs which re-enables it:

http://support.microsoft.com/?kbid=957859

...however the link to the 959357 article/patch goes nowhere. Maybe it'll go public at some point but you'll have to ring MS for the patch in the meantime.

(in reply to tshinder)
Post #: 64
RE: Cannot change password through ISA 2006 FBA - 27.Feb.2009 12:21:03 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Great! Thanks for the link.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sjgardner)
Post #: 65
RE: Cannot change password through ISA 2006 FBA - 1.Apr.2009 6:02:31 PM   
Rhys.Goodwin

 

Posts: 14
Joined: 15.Jan.2008
Status: offline
Hi Guys,
I've come across this issue while developing a perimeter network for OWA/sharepoint etc etc. (You might have all ready seen some of my post scrounging for info)

I have a trust situation where the perimeter trusts the internal domain. Using  windows AD auth for FBA, the change expired passwords works fine for the domain that the ISA server is a member of (perimeter) but it won't work for the trusted domain!

Ok so I'll use LDAP auth and just set up 2 servers sets. Then I come across this problem. My question is, after I apply the hotfix does it fix the problem or just return the feature to pre SP1 i.e. will the hotfix re-introduce the vulnerability?

I guess I'll find out, as soon as I can get my hands on the hotfix; it's still not public.

I'll report back what I find out.....Love play'n in the lab

< Message edited by Rhys.Goodwin -- 1.Apr.2009 6:31:01 PM >


_____________________________

Visit My Blog!

(in reply to tshinder)
Post #: 66
RE: Cannot change password through ISA 2006 FBA - 1.Apr.2009 8:44:13 PM   
Rhys.Goodwin

 

Posts: 14
Joined: 15.Jan.2008
Status: offline
Patch applied. It looks like it just reverts the functionality. It allows password change but still has the "valid account discovery" flaw.

It's obvious that ISA can tell the difference between password expired and incorrect password. So why doesn't ISA authenticate the user before displaying that change password screen??? One would think that might have been what the patch was for!!?? Grrrrrr. Anyhow I will have to live with the flaw and I doubt I'll lose any sleep over it.

Unless I can get password changing working in AD auth across a one-way trust which btw the patch has had not effect on.....

Behavior Summary

Correct domain\username +CorrectPassword+ "User must change password ticked"
=Change password screen displayed (password change successful. )

Correct domain\username +IncorrectPassword+ "User must change password ticked"=Change password screen displayed

Correct domain\username +IncorrectPassword+ "User's password will expire within warning time specified in listener"=Change password screen displayed + Number of days till expiry (lets give away some more info!)

Correct domain\username +IncorrectPassword
=Logon fails.
Random username/passoword =Logon fails.

< Message edited by Rhys.Goodwin -- 1.Apr.2009 8:57:49 PM >


_____________________________

Visit My Blog!

(in reply to Rhys.Goodwin)
Post #: 67
RE: Cannot change password through ISA 2006 FBA - 2.Apr.2009 1:58:39 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: Rhys.Goodwin

Patch applied. It looks like it just reverts the functionality. It allows password change but still has the "valid account discovery" flaw.

It's obvious that ISA can tell the difference between password expired and incorrect password. So why doesn't ISA authenticate the user before displaying that change password screen??? One would think that might have been what the patch was for!!?? Grrrrrr. Anyhow I will have to live with the flaw and I doubt I'll lose any sleep over it.

Unless I can get password changing working in AD auth across a one-way trust which btw the patch has had not effect on.....

Behavior Summary

Correct domain\username +CorrectPassword+ "User must change password ticked"
=Change password screen displayed (password change successful. )

Correct domain\username +IncorrectPassword+ "User must change password ticked"=Change password screen displayed

Correct domain\username +IncorrectPassword+ "User's password will expire within warning time specified in listener"=Change password screen displayed + Number of days till expiry (lets give away some more info!)

Correct domain\username +IncorrectPassword
=Logon fails.
Random username/passoword =Logon fails.


Hey Rhys,

Nice summary

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Rhys.Goodwin)
Post #: 68
RE: Cannot change password through ISA 2006 FBA - 2.Apr.2009 2:02:33 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: Rhys.Goodwin

Hi Guys,
I've come across this issue while developing a perimeter network for OWA/sharepoint etc etc. (You might have all ready seen some of my post scrounging for info)

I have a trust situation where the perimeter trusts the internal domain. Using  windows AD auth for FBA, the change expired passwords works fine for the domain that the ISA server is a member of (perimeter) but it won't work for the trusted domain!

Ok so I'll use LDAP auth and just set up 2 servers sets. Then I come across this problem. My question is, after I apply the hotfix does it fix the problem or just return the feature to pre SP1 i.e. will the hotfix re-introduce the vulnerability?

I guess I'll find out, as soon as I can get my hands on the hotfix; it's still not public.

I'll report back what I find out.....Love play'n in the lab


Hey Rhys,

Are you sure ISA has the required connectivity?

ISA will use LDAPS for password changes - are you sure ISA has connectivity to the DCs in the internal forest using LDAPS? Does ISA trust the Root CA that issued certs to the DCs in the internal forest? 

I would do some testing to make sure ISA meets all dependencies for LDAPS connectivity, then try the password change again.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Rhys.Goodwin)
Post #: 69
RE: Cannot change password through ISA 2006 FBA - 2.Apr.2009 5:34:46 AM   
Rhys.Goodwin

 

Posts: 14
Joined: 15.Jan.2008
Status: offline
Hi Jason, yes certs+connectivity is good. I thought it was because the ISA computer account was not trusted in the internlal domain but I proved that wrong by making the trust 2way. I love ISA and have since I started using ISA 2000! a few years ago but after today I'm really hurting!

*Edit. Once I'm back at work next week I'll post the netlogon logs from the internal DC .

< Message edited by Rhys.Goodwin -- 2.Apr.2009 5:40:32 AM >


_____________________________

Visit My Blog!

(in reply to Jason Jones)
Post #: 70
RE: Cannot change password through ISA 2006 FBA - 2.Apr.2009 9:17:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rhys,

Nice blog!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Rhys.Goodwin)
Post #: 71
RE: Cannot change password through ISA 2006 FBA - 6.Apr.2009 5:04:47 PM   
Rhys.Goodwin

 

Posts: 14
Joined: 15.Jan.2008
Status: offline
Cheers Tom. Well guys I've basically resigned my self (at least for now) to the fact that password changes in the trusted domain don't work when using Windows auth. I will just have to live with LDAP auth. At this point I'm just so glad that it works at all! Hopefully MS will fix a few of these bugs in the next SP

_____________________________

Visit My Blog!

(in reply to tshinder)
Post #: 72

Page:   <<   < prev  1 2 3 [4] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> RE: Cannot change password through ISA 2006 FBA Page: <<   < prev  1 2 3 [4]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts