Password Change with FBA

When users log on to OWA using forms-based authentication and authenticate using either Windows authentication or an LDAP server, ISA Server provides a password change feature in the logon form. You can inform users that a password will expire in a specified number of days, and allow them to create a new password either before or after expiry. Before configuring this feature, note the following:

  • You must use an LDAPS connection to the LDAP server/dc. This requires a server certificate on the LDAP server/dc.

  • ISA Server must have the root certificate of the CA that issues the server certificate in its Local Computer Trusted Root Certification Authorities store.

  • When authenticating against an LDAP server, you create an LDAP server set containing the server as follows:

    • Select to connect over a secure connection

    • Specify an FQDN for the LDAP server name. The name specified must match the subject name specified on the server certificate.

    • Add at least one logging expression to assign the LDAP server to a specific group of users.

    • Disable use of the GC.

    • Specify the domain in which users accounts can be identified, and details of an account that will be used to bind to the LDAP server and query the credentials of logged-on users.

There are a number of common issues with the Password Change feature:

  • Failure because no certificate is installed.

    • You require a server certificate whether you are using LDAP or Windows authentication.

  • Client logon is slow when running ISA Server on a computer with Windows Server 2003 SP2 or the Scalable Networking Pack installed.

    • Take a look at KB 555958 for a solution.

  • Client logon is slow when server certificates are configured with default purpose settings of "Server Authentication" and "Client Authentication".

    • When Windows Server 2003 detects the default purpose setting of "Client Authentication" on a certificate, it attempts to perform TLS with mutual authentication. The mutual authentication process requires ISA Server to have access to the private key of the certificate, and ISA Server does not have (and should not have) this access. To solve this issue, remove the "Client Authentication" purpose setting from the certificate properties.

  • Users authenticating against an LDAP server receive an Error page 500 message.

    • Users may be entering credentials for which a logon expression does not exist. Users must either log on using the format domain\name, or you must create a logon expression to handle the user logon format. Add one or more logon expressions to the LDAP server set. For example, when you create a logon expression * , a user entering credentials in the format will log on successfully.

  • Password change error.

    • The default domain policy may have a value of 1 or greater set for the minimum password age. If you want users to be able to change password more than once a day, set the minimum password age to 0.

  • After changing the password, users are still able to authenticate using their old password.

    • Active Directory allows both the old password and the new one to be used for one hour, to allow for replication. To confirm that this is not an ISA Server issue, log off and then log on again using the old password. For information about a registry key to customize the time, see KB 906305.

Rayne Wiselman

ISA Server User Experience Team

Comments (12)

  1. Shijaz says:

    Has anybody noticed:

    If you select "I want to change my password" and enter a wrong password and click ‘login’, you are taken to the change password screen. only after the user attempts to change the password is he informed that his password is wrong. Any fix/workaround?

  2. Anonymous says:

    we don’t care if all other MS products rely upon it". Thank’s a lot.

  3. Anonymous says:

    Does this mean that you MUST use LDAP auth to change the password? What if the ISA Firewall is in the same domain as the user? Do we still need to use LDAP?



  4. Anonymous says:

    Hi Yuri,

    Thanks! I didn’t know that LDAP was required for password changes. However, this isn’t a problem, as the ISA Firewall can still be a domain member and you can still use LDAPS for the publishing rule.



  5. ehab says:


    in some articles it  says that joining ISA to the domain is recommend it, then why do I need LDAP ?

  6. Slava says:


    I am trying to implement ISA for only FBA and winowds passwod change.  Question is – do I need to have MS Exchange in the environment?  Also, IIS is required for FBA, does ISA create a web page for the password cnahge or what is the mechanism that is used.  If I am setting this up in a test enironment, do I need to use LDAPS or is there a way araund it?

    Are there detailed instructions on how to implement FBA for password change?


  7. Yuri Diogenes says:

    Answering the questions from Dr. Tom and from Ehab Abu Al Khair:

    We must use LDAPS to use the Change Password feature. If you take a look on the table (Appendix B) of the article below you will see that the only supported way to use this feature is via LDAPS:

    To prepare your DC to issue the correct certificate for LDAPS, use the article below:;en-us;321051

    I hope that this can help.


  8. Yuri Diogenes says:

    Hi Shijaz,

    I noticed that too. I took a netmon trace from the internal NIC of the ISA and the difference is:

    – When you don’t select the checkbox to change the password the ISA sends the authentication request to the DC (or LDAP Server) to validate the credentials.

    – When you select the checkbox to change the password the ISA doesn’t send the authentication request to the DC on that first screen, it will change later on only when you submit the password change on the next screen.

    Looks like this is a control on the page, but you can customize the page using the instructions below:


  9. James (njan) Eaton-Lee says:

    This doesn’t appear to be correct – it contradicts the following guide:

    ("The change password feature is supported when clients input credentials using forms-based authentication, and ISA Server validates credentials using Windows (Active Directory) authentication or LDAP (Active Directory) authentication.")

    As well as my own experience – I have Password Management enabled on an ISA 2006 AD/FBA/SSL web publishing rule, and it works fine (I’ve just tried it!)

    The /secure_web_publishing.mspx#AppendixB URL doesn’t state that LDAP is required for Password Management; just that LDAPS is required rather than LDAP when configuring a publishing rule with LDAP as the authentication provider, if you want the Password Management functionality. I suspect this is where the confusion lies!

    You can use Password Management with ISA FBA using Active Directory as the authentication provider, as long as the ISA Server has the appropriate domain membership. You only need to use LDAPS for password authentication if your ISA box/array isn’t in an appropriate domain structure, or is standalone.


    – James.

  10. Yuri Diogenes says:

    Hi James,

    Interesting because on this guide that you mention says two things that point to this requirement:

    First on the paragrapah:

    The change password feature is supported when clients input credentials using forms-based authentication, and ISA Server validates credentials using Windows (Active Directory) authentication or LDAP (Active Directory) authentication. Before configuring this feature, note the following:

    • You must use an LDAPS connection to the LDAP server or the domain controller. To use a secure LDAP connection, a server certificate must be installed on the LDAP server or domain controller. The certificate subject name must match the FQDN you will specify for the authentication server.

    Second on the troubleshooting part:

    Password change functionality fails because no certificate is installed

    Issue: Whether you are using LDAP authentication or Windows Active Directory authentication, an LDAPS connection on TPC port 636 is required to the authentication server.

    Solution: For Windows authentication, obtain a certificate on the domain controller. For LDAP authentication, obtain a server certificate on the LDAP server. Ensure that the common name on the certificate matches the name of the authentication server.


    Yuri Diogenes

  11. harris says:

    i have fogotten my passwrod to Forefront TMG and now i cant access my emails which i need!!

    can anyone help me?

  12. trentsh - msft says:


    Had had a problem with PW changes on the TMG, sure enough the DC's at my new site were missing the server cert to allow the LDAPs connections.

Skip to main content