• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA FBA Change Password Partly Busted

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> ISA FBA Change Password Partly Busted Page: [1]
Message << Older Topic   Newer Topic >>
ISA FBA Change Password Partly Busted - 4.Feb.2010 7:05:40 PM   


Posts: 6
Joined: 11.May2004
Status: offline
OK, here is the scenario.

Dual homed ISA 2006 Ent with SP1 running on 2k3 R2 fully patched.
ISA is a member of the domain.
Have multiple sites published using FBA w/ Active Directory authentication and NTLM delegation.
Normal logins work fine.
Logins and password change when 'User must change password' is checked works fine and users can change their password and login.
Logins with users attempting to change a non-expired password and without the 'User must change password' checked cannot change their passwords.

ALL of the standard stuff has been checked.
All DCs have valid certs and LDP.exe is able to connect using LDAPS without an issue.
Scalable Networking Pack is fully disengaged.
'Client Authentication' is turned off on all certs.
The Password Policy has been disabled on the domain (temporarily for testing) and rsop.msc and gpedit.msc have been used on ISA to ensure that there are no remnants.
Just for grins, I even went ahead and configured the LDAP configuration information.

There are no errors being logged on ISA to indicate the issue. Running NetMon on the DC shows that ISA is successfully creating an LDAPS connection to the DC.

The ONLY clue I have came after turning up security auditing to max which shows an event ID 627 indicating a failed password change event. It shows the account attempting to set the password as the machine account for the ISA. This seems to indicate that the machine account for ISA is in need of permissions to change passwords in the domain which makes no sense.

Any ideas? I am seriously scraping bottom here.
Post #: 1
RE: ISA FBA Change Password Partly Busted - 4.Feb.2010 9:28:20 PM   


Posts: 6
Joined: 11.May2004
Status: offline
Another piece of minor information, Domain Admins are able to change their passwords via FBA, only standard users appear to be affected. I did come across another post talking about a similar issue involving the Pre-Windows 2000 Compatible Access group, but that wasn't my issue.

(in reply to Merddyn)
Post #: 2
RE: ISA FBA Change Password Partly Busted - 5.Feb.2010 8:54:43 AM   


Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Changes in Service Pack 1

The ISA Server 2006 Service Pack 1 implementation of the change password feature was redesigned for improved security. If the user did not selected the Change Password check box on the logon form, ISA Server will check the password to ensure that it is valid and has expired. In this case, ISA Server displays the change password form.
Note that if you are using forms-based authentication with LDAP authentication, ISA Server is not able to perform this action and cannot provide automatic redirection to the change password form. This is because the LDAP provider can't validate passwords. When changing an expired password by using the LDAP provider, the user must select the Change Password check box on the logon form. Otherwise, the LDAP provider will not indicate to ISA Server that the password has expired, and the user will receive an error message regarding invalid credentials.

Source: Configuring and Troubleshooting the Password Change Feature in ISA Server 2006

Also, this can be a good reading: Troubleshooting Forms Base Authentication using Secure LDAP Authentication on ISA Server 2006

Paulo Oliveira.


Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Merddyn)
Post #: 3
RE: ISA FBA Change Password Partly Busted - 5.Apr.2010 4:57:36 PM   


Posts: 37
Joined: 30.Jan.2008
Status: offline
OK...I'm having a similar issue but am looking for some clarification on that ISA 2006 SP1 article.
Isn't is a bit useless if you need to use secure LDAP to perform a password change but yet that method does not allow for telling a user their password is expired or about to expire?
I'm using Forefront TMG RTM and changing a password works flawlessly however if the user's account expires or is about to expire there is absolutely no notification whatsoever...just a failed login attempt once the account is expired (or set to change password at first login).
Is there anyway to have both features working simultaneously?

(in reply to paulo.oliveira)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> ISA FBA Change Password Partly Busted Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts