Another fun with Change Password feature through ISA Server 2006

1. Introduction

 

When we think that we had covered all scenarios to mitigate possible issues with change password feature through ISA Server 2006 something new happen. This quick post is about a scenario where only users that belong to a specific OU were unable to change password through ISA Server 2006. The users that were located in this scenario in the OU called Adm/Fin as shown in Figure 1:

 

Figure 1 – ISA Server 2006 web publishing rule with a deny action.

 

2. Troubleshooting

 

The articles below were used to initially troubleshoot this issue:

 

1. The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1
https://support.microsoft.com/kb/957859

2. Configuring and Troubleshooting the Password Change Feature in ISA Server 2006
https://technet.microsoft.com/en-us/library/cc514301.aspx

3. Troubleshooting Forms Base Authentication using Secure LDAP Authentication on ISA Server 2006
https://technet.microsoft.com/en-us/library/dd316279.aspx

4. Unable to Change Password through ISA Server 2006
https://blogs.technet.com/isablog/archive/2009/04/28/unable-to-change-password-through-isa-server-2006.aspx

After all the efforts to fix the issue using the articles above one little piece of information was gathered within the isalog.bin (which is part of ISA Data Packager as explained in one of my articles). The information found in the log says that ISA failed to change the password because of the error 80005000, which means E_ADS_BAD_PATHNAME.

Interesting having this error because the user could logon just fine, which means that the path was correct, besides the same user was able to change the password through a Windows workstation logged internally in the domain.

3. Solution

After collaborate with DS Team we found the following statement in one article about LDAP:

If the name of an organizational unit contains a forward slash character (/), the system requires an escape character in the form of a backslash (\) to distinguish between forward slashes that separate elements of the canonical name and the forward slash that is part of the organizational unit name.

Source: https://technet.microsoft.com/en-us/library/cc977992.aspx

 

The problem was the name of the OU that has a slash character, this problem is because LDAP parses the slash as a break and this makes the query to fail. After rename the OU to remove the slash the user was able to change the password.