When users log on to OWA using forms-based authentication and authenticate using either Windows authentication or an LDAP server, ISA Server provides a password change feature in the logon form. You can inform users that a password will expire in a specified number of days, and allow them to create a new password either before or after expiry. Before configuring this feature, note the following:
There are a number of common issues with the Password Change feature:
ISA Server User Experience Team
Has anybody noticed:
If you select "I want to change my password" and enter a wrong password and click 'login', you are taken to the change password screen. only after the user attempts to change the password is he informed that his password is wrong. Any fix/workaround?
Does this mean that you MUST use LDAP auth to change the password? What if the ISA Firewall is in the same domain as the user? Do we still need to use LDAP?
in some articles it says that joining ISA to the domain is recommend it, then why do I need LDAP ?
I am trying to implement ISA for only FBA and winowds passwod change. Question is - do I need to have MS Exchange in the environment? Also, IIS is required for FBA, does ISA create a web page for the password cnahge or what is the mechanism that is used. If I am setting this up in a test enironment, do I need to use LDAPS or is there a way araund it?
Are there detailed instructions on how to implement FBA for password change?
Answering the questions from Dr. Tom and from Ehab Abu Al Khair:
We must use LDAPS to use the Change Password feature. If you take a look on the table (Appendix B) of the article below you will see that the only supported way to use this feature is via LDAPS:
To prepare your DC to issue the correct certificate for LDAPS, use the article below:
I hope that this can help.
I noticed that too. I took a netmon trace from the internal NIC of the ISA and the difference is:
- When you don't select the checkbox to change the password the ISA sends the authentication request to the DC (or LDAP Server) to validate the credentials.
- When you select the checkbox to change the password the ISA doesn't send the authentication request to the DC on that first screen, it will change later on only when you submit the password change on the next screen.
Looks like this is a control on the page, but you can customize the page using the instructions below:
Thanks! I didn't know that LDAP was required for password changes. However, this isn't a problem, as the ISA Firewall can still be a domain member and you can still use LDAPS for the publishing rule.
This doesn't appear to be correct - it contradicts the following guide:
("The change password feature is supported when clients input credentials using forms-based authentication, and ISA Server validates credentials using Windows (Active Directory) authentication or LDAP (Active Directory) authentication.")
As well as my own experience - I have Password Management enabled on an ISA 2006 AD/FBA/SSL web publishing rule, and it works fine (I've just tried it!)
The /secure_web_publishing.mspx#AppendixB URL doesn't state that LDAP is required for Password Management; just that LDAPS is required rather than LDAP when configuring a publishing rule with LDAP as the authentication provider, if you want the Password Management functionality. I suspect this is where the confusion lies!
You can use Password Management with ISA FBA using Active Directory as the authentication provider, as long as the ISA Server has the appropriate domain membership. You only need to use LDAPS for password authentication if your ISA box/array isn't in an appropriate domain structure, or is standalone.
Interesting because on this guide that you mention says two things that point to this requirement:
First on the paragrapah:
The change password feature is supported when clients input credentials using forms-based authentication, and ISA Server validates credentials using Windows (Active Directory) authentication or LDAP (Active Directory) authentication. Before configuring this feature, note the following:
• You must use an LDAPS connection to the LDAP server or the domain controller. To use a secure LDAP connection, a server certificate must be installed on the LDAP server or domain controller. The certificate subject name must match the FQDN you will specify for the authentication server.
Second on the troubleshooting part:
Password change functionality fails because no certificate is installed
Issue: Whether you are using LDAP authentication or Windows Active Directory authentication, an LDAPS connection on TPC port 636 is required to the authentication server.
Solution: For Windows authentication, obtain a certificate on the domain controller. For LDAP authentication, obtain a server certificate on the LDAP server. Ensure that the common name on the certificate matches the name of the authentication server.
we don't care if all other MS products rely upon it". Thank's a lot.
i have fogotten my passwrod to Forefront TMG and now i cant access my emails which i need!!
can anyone help me?
Had had a problem with PW changes on the TMG, sure enough the DC's at my new site were missing the server cert to allow the LDAPs connections.