Users from a trusted forest are unable to change their password using the UAG portal Credentials Management option

  • Article

 

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG - SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

 

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

Portal CredMgr - Copy

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repository\username”, rather than “TrustedForest\username”.

 

  The Solution

The suggested fix is to make a modification to UAG’sLoginChangePassword.inc, so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note: Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..\<UAG_Installation_path>\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\ and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

repository = "" user_name = "" for each user in user_Vec.UserVec if i = index then repository = user.Repository user_name = user.User exit for end if i = i + 1 next set user_vec = Nothing

3. Change this to include the following 6 lines…

repository = "" user_name = "" for each user in user_Vec.UserVec if i = index then repository = user.Repository user_name = user.User

######### Below lines added to correct issue post SP4 RU1 ##########

domain_name = user.Domain if ( (domain_name <> "") and (InStr(user_name, "@")=0) ) then user_name = domain_name & "\" & user_name end if ##################################################

exit for end if i = i + 1 next set user_vec = Nothing

4. Save the file and repeat these same steps on any other remaining UAG servers

 

AUTHOR

Rainier Amara

Support Escalation Engineer - Microsoft Edge Security Team

 

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer - Microsoft Edge Security Team