There are times that the user does not change their password on the day that Group Policy forces a password change. Normally, if the user logs off and tries to logon again, Windows will inform him that his password is expired and require him to change it. ISA is not able to perform the same action as Windows.
This article describes what happens when the user’s domain password expires while he is trying to browse Internet through ISA Server and ISA Server uses a rule that requires authentication.
Understanding the Authentication
On this capture what happens is: the user is trying to access Internet through ISA Server 2006 and his user account has the flag saying User Must Change Password on Next Logon. Notice that the user is already logged into the Operating System, but the administrator forgot to tell him to logoff and logon again to then re-enter his new password. Although the scenario is not exactly the same as the one described in the Introduction, the functionality is the same. Let’s see what happens:
- Client sends the request to ISA Server:
192.168.5.195 192.168.5.1 HTTP HTTP:Request, GET http://go.microsoft.com/fwlink/
- ISA Server 2006 analyzes the firewall policy and sees that a rule which matches the traffic requires authentication and responds with HTTP 407:
192.168.5.1 192.168.5.195 HTTP HTTP:Response, HTTP/1.1, Status Code = 407
- Client (in this case using Internet Explorer 6) sends the NTLM credentials:
192.168.5.195 192.168.5.1 NTLMSSP NTLMSSP:NTLM NEGOTIATE MESSAGE
- At this point ISA Server, using an established secure channel with the Domain Controller, sends the request for authentication to it.
- The server will check if the credential is valid, since it is not it replies saying that it is not valid and also logs the following information on the netlogon.log (if the debugging level is increased using the procedures from KB109626):
05/20 08:50:54 [LOGON] FABRIKAM: SamLogon: Transitive Network logon of FABRIKAM\bob from CLIENT1 (via ISASRVSTD) Entered
05/20 08:50:54 [LOGON] FABRIKAM: SamLogon: Transitive Network logon of FABRIKAM\bob from CLIENT1 (via ISASRVSTD) Returns 0xC0000224
This error means User logon with "Change Password at Next Logon" flagged. If the scenario was the same as the one explained in the Introduction then the error code will be 0xC0000071.
At this point, ISA Server will also logon the following information on the netlogon.log (if the debugging level is increased):
05/20 08:50:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000224)
05/20 08:50:54 [LOGON] SamLogon: Network logon of FABRIKAM\bob from CLIENT1 Returns 0xC0000224
After that it will send again the HTTP 407 to the client asking for authentication, since the first attempt failed:
192.168.5.1 192.168.5.195 HTTP HTTP:Response, HTTP/1.1, Status Code = 407, URL:
What happens now is that on the client workstation, a pop up window will appear asking for user name and password.
ISA repeats the previous HTTP 407 response because it has no choice in the matter. It’s impossible for ISA to indicate account or password status in this process because there is no provision for account or password status in HTTP authentication mechanisms.
Security Support Engineer – ISA Server Team – Microsoft Texas
Program Manager, ISA SE
News Microsoft Internet Security and Acceleration Server Forefront Threat Management Gateway, the Next