Password change using Form Based Authentication in ISA server 2006

With ISA server 2006 we have a feature called password change which allows the user to change his password externally. This feature is allowed with Forms based authentication on ISA server. It is most commonly in use with OWA publishing and share point publishing, where user authentication is done using Forms based authentication.I would start with requirements to allow password change using FBA through ISA server.Then I would discuss about the configurations required on the ISA server.Password change feature behaviour before ISA server 2006 sp1 and after sp1. First of all requirements

Requirements 

Certificates 

A ldaps(secure ldap) connection is required by ISA server to connect to domain controller and then allow password change. Secure SSL connection has its requirements and in this case it is as follows

1. Server authentication certificate on the Domain controller and subject name of the certificate should match the name of the FQDN of the domain controller so in our case it should be corpa06.corpa.local.

2. Issuing certificate authority certificate should be installed on domain controller as well as on ISA server in the computer Trusted certificate authority store.

 Ports

In case you have a firewall between  ISA server and domain controller then port 636 TCP is required to be open on that firewall. So we need certificates and port 636 TCP open to allow password change feature to work.

Configuration On ISA Server

FBA with AD

I would use my post for OWA publishing as example to keep the size of this post as minimum possible. We know that we configure authentication on the listener under the authentication attribute/tab. We configured FBA with Windows Active Directory for our OWA publishing rule. If we open the properties of the listener used we will see different tabs and one of them says Forms, under this tab we can enable  password change feature by enabling the checkbox for it as own below.sh

 After enabling password change feature when we will try to access OWA we will get FBA page with option to change password shown in figure below.

 If we check this as I have done above, we would get redirected to password change page after entering the user credentials on the FBA page as shown below.

 On the password change page we can change the password. This is how it is supposed to work and it does work that way. But due to certain security requirements this behaviour was altered after the ISA server 2006 sp1 and we need to follow certain steps to get it to work.

FBA With LDAP

In this scenario enabling the password change feature  would be done by checking the same check box under the forms tab(i.e allow user to change password) as was done and shown in FBA with AD scenario above. We need to configure LDAP server set for LDAP authentication and its explanation and implementation is beyond the scope of this post however you can refer to https://technet.microsoft.com/en-us/library/bb794854.aspx#AppendixB and https://technet.microsoft.com/en-us/library/bb794854.aspx#LDAPsrv after doing that you would choose FBA with LDAP under authentication tab of the listener

and LDAP server set should be configured as shown below( following settings are as per my own setup/owa post)

In the above figure for password change to work we will clear the checkbox that uses global catalog option and check the box that uses secure connection to connect to ldap servers and then add user credentials of a domain user in the edit box provided.

What are we doing here? We are disabling the usage of Global catalog and we are using secure ldap connection and configuring a domain account to be used to bind to ldap server to allow password change.

Once we have configured this we are ready to allow users to change password using ldap authentication as well.

Password change feature and SP1

FBA with LDAP 

Password change feature was there with ISA server 2006 but after installing ISA server 2006 sp1, I saw some scenarios  where we use FBA with LDAP as authentication method on the Listener and on domain controller we have configured user to change password on next logon but when that user logs on using FBA and checks the box to change password then he does not get redirected to password change form. In order to resolve this we need to run a script mentioned in this following article https://support.microsoft.com/kb/957859 after installing the hotfix package mentioned in this article link . This issue was  in cases where FBA was used with LDAP authentication. This change in sp1 was done to prevent certain authentication attacks. You can visit  https://technet.microsoft.com/en-us/library/cc514301.aspx for more information about changes in service pack 1.

Another important point that I would like  to add about FBA with LDAP after sp1 ,if  user password has expired and user logs on using FBA page without checking the change password checkbox then user would not get redirected to password change form as LDAP provider does not have any way to detect that password has expired. So for a user whose password has expired and if he wants to change his password then he needs to check the password change checkbox on the FBA page to get the password change form and change it.

FBA with Windows Active Directory

After sp1 if a user's password has expired and he tries to logon using FBA then ISA server would validate the user and when finds out that its password has expired redirects the user to password change form where user can change the password.