Password Change with FBA

When users log on to OWA using forms-based authentication and authenticate using either Windows authentication or an LDAP server, ISA Server provides a password change feature in the logon form. You can inform users that a password will expire in a specified number of days, and allow them to create a new password either before or after expiry. Before configuring this feature, note the following:

  • You must use an LDAPS connection to the LDAP server/dc. This requires a server certificate on the LDAP server/dc.
  • ISA Server must have the root certificate of the CA that issues the server certificate in its Local Computer Trusted Root Certification Authorities store.
  • When authenticating against an LDAP server, you create an LDAP server set containing the server as follows:
    • Select to connect over a secure connection
    • Specify an FQDN for the LDAP server name. The name specified must match the subject name specified on the server certificate.
    • Add at least one logging expression to assign the LDAP server to a specific group of users.
    • Disable use of the GC.
    • Specify the domain in which users accounts can be identified, and details of an account that will be used to bind to the LDAP server and query the credentials of logged-on users.

There are a number of common issues with the Password Change feature:

  • Failure because no certificate is installed.
    • You require a server certificate whether you are using LDAP or Windows authentication.
  • Client logon is slow when running ISA Server on a computer with Windows Server 2003 SP2 or the Scalable Networking Pack installed.
    • Take a look at KB 555958 for a solution.
  • Client logon is slow when server certificates are configured with default purpose settings of "Server Authentication" and "Client Authentication".
    • When Windows Server 2003 detects the default purpose setting of "Client Authentication" on a certificate, it attempts to perform TLS with mutual authentication. The mutual authentication process requires ISA Server to have access to the private key of the certificate, and ISA Server does not have (and should not have) this access. To solve this issue, remove the "Client Authentication" purpose setting from the certificate properties.
  • Users authenticating against an LDAP server receive an Error page 500 message.
    • Users may be entering credentials for which a logon expression does not exist. Users must either log on using the format domain\name, or you must create a logon expression to handle the user logon format. Add one or more logon expressions to the LDAP server set. For example, when you create a logon expression *@contoso.com , a user entering credentials in the format username@contoso.com will log on successfully.
  • Password change error.
    • The default domain policy may have a value of 1 or greater set for the minimum password age. If you want users to be able to change password more than once a day, set the minimum password age to 0.
  • After changing the password, users are still able to authenticate using their old password.
    • Active Directory allows both the old password and the new one to be used for one hour, to allow for replication. To confirm that this is not an ISA Server issue, log off and then log on again using the old password. For information about a registry key to customize the time, see KB 906305.

Rayne Wiselman

ISA Server User Experience Team