Dual homed ISA 2006 Ent with SP1 running on 2k3 R2 fully patched. ISA is a member of the domain. Have multiple sites published using FBA w/ Active Directory authentication and NTLM delegation. Normal logins work fine. Logins and password change when 'User must change password' is checked works fine and users can change their password and login. Logins with users attempting to change a non-expired password and without the 'User must change password' checked cannot change their passwords.
ALL of the standard stuff has been checked. All DCs have valid certs and LDP.exe is able to connect using LDAPS without an issue. Scalable Networking Pack is fully disengaged. 'Client Authentication' is turned off on all certs. The Password Policy has been disabled on the domain (temporarily for testing) and rsop.msc and gpedit.msc have been used on ISA to ensure that there are no remnants. Just for grins, I even went ahead and configured the LDAP configuration information.
There are no errors being logged on ISA to indicate the issue. Running NetMon on the DC shows that ISA is successfully creating an LDAPS connection to the DC.
The ONLY clue I have came after turning up security auditing to max which shows an event ID 627 indicating a failed password change event. It shows the account attempting to set the password as the machine account for the ISA. This seems to indicate that the machine account for ISA is in need of permissions to change passwords in the domain which makes no sense.
Another piece of minor information, Domain Admins are able to change their passwords via FBA, only standard users appear to be affected. I did come across another post talking about a similar issue involving the Pre-Windows 2000 Compatible Access group, but that wasn't my issue.
From: Amazon, Brazil
Changes in Service Pack 1
The ISA Server 2006 Service Pack 1 implementation of the change password feature was redesigned for improved security. If the user did not selected the Change Password check box on the logon form, ISA Server will check the password to ensure that it is valid and has expired. In this case, ISA Server displays the change password form. Note that if you are using forms-based authentication with LDAP authentication, ISA Server is not able to perform this action and cannot provide automatic redirection to the change password form. This is because the LDAP provider can't validate passwords. When changing an expired password by using the LDAP provider, the user must select the Change Password check box on the logon form. Otherwise, the LDAP provider will not indicate to ISA Server that the password has expired, and the user will receive an error message regarding invalid credentials.
OK...I'm having a similar issue but am looking for some clarification on that ISA 2006 SP1 article.
Isn't is a bit useless if you need to use secure LDAP to perform a password change but yet that method does not allow for telling a user their password is expired or about to expire?
I'm using Forefront TMG RTM and changing a password works flawlessly however if the user's account expires or is about to expire there is absolutely no notification whatsoever...just a failed login attempt once the account is expired (or set to change password at first login).
Is there anyway to have both features working simultaneously?