Configuring and Troubleshooting the Password Change Feature in ISA Server 2006
ISA Server provides a feature that allows users connecting to Outlook Web Access with forms-based authentication to change their password. You can inform a user that a password will expire in a specified number of days and allow the user to create a new password. Users can also change passwords that have expired.
Configuring the Change Password Feature
The change password feature is supported when clients input credentials using forms-based authentication, and ISA Server validates credentials using Windows (Active Directory) authentication or Lightweight Directory Access Protocol (LDAP) authentication. Before configuring this feature, note the following:
- You must use an LDAPS connection to the LDAP server or the domain controller. To use a secure LDAP connection, a server certificate must be installed on the LDAP server or domain controller. The certificate subject name must match the FQDN you will specify for the authentication server.
- The ISA Server computer must have the root certificate of the CA that issues the server certificate located in its Local Computer Trusted Root Certification Authorities store.
- When using LDAP authentication, you must create an LDAP Server set containing the LDAP servers that will be used to authenticate users. Configure the following settings for the LDAP Server set:
- Enable connecting to the LDAP server over a secure connection.
- Specify an FQDN for the LDAP server name. Ensure that the FQDN matches the subject name specified on the server certificate installed on the LDAP server or domain controller.
- Specify at least one logging expression to assign the LDAP server to a specific group of users.
- Disable use of the Global Catalog (GC).
- Specify the domain in which user accounts can be identified and details of an account that will be used to bind to the LDAP server and query the credentials of logged-on users.
- An account is required to bind to the authentication server and verify user name and password status. In the case of domain authentication, this must be a domain account with privileges to make changes to Active Directory®.
In the property pages of the Web listener you create for use in the rule that will publish Outlook Web Access, configure the option for users to change their password. Additionally, configure an expiry countdown warning.
After configuring the Web publishing rule correctly, users logging in using forms-based authentication are warned if their password expiry is approaching, and they have the opportunity to change their password before and after expiry.
For a complete walkthrough on publishing with forms-based authentication, see the following documents at the ISA Server Tech Center.
Changes in Service Pack 1
The ISA Server 2006 Service Pack 1 implementation of the change password feature was redesigned for improved security. If the user did not selected the Change Password check box on the logon form, ISA Server will check the password to ensure that it is valid and has expired. In this case, ISA Server displays the change password form.
Note that if you are using forms-based authentication with LDAP authentication, ISA Server is not able to perform this action and cannot provide automatic redirection to the change password form. This is because the LDAP provider can't validate passwords. When changing an expired password by using the LDAP provider, the user must select the Change Password check box on the logon form. Otherwise, the LDAP provider will not indicate to ISA Server that the password has expired, and the user will receive an error message regarding invalid credentials.
Common Issues with the Password Change feature
Password change functionality fails because no certificate is installed
Issue: Whether you are using LDAP authentication or Windows Active Directory authentication, an LDAPS connection on TPC port 636 is required to the authentication server.
Solution: For Windows authentication, obtain a certificate on the domain controller. For LDAP authentication, obtain a server certificate on the LDAP server. Ensure that the common name on the certificate matches the name of the authentication server.
For information on enabling LDAP over SSL with a third-party CA, see Microsoft article 321051.
Client logon is slow when running ISA Server on a computer with Windows Server 2003 Service Pack 2 or the Scalable Networking Pack Installed
Issue: This is caused by a NAT problem in Windows Server 2003 SP2 that is exposed when you enable Receive Side Scaling (RSS) or TCP/IP offloading on a network adapter.
Solution: See Knowledge Base article 555958.
Client logon is slow and server certificates used for Web publishing are configured with the default purpose settings "Server Authentication" and "Client Authentication"
Issue: When Windows Server 2003 detects the default purpose setting of "Client Authentication", the operating system attempts to perform TLS with mutual authentication to the domain controller. The mutual authentication process requires ISA Server to have access to the private key of the server certificate with the "Client Authentication" setting enabled, and ISA Server does not (and should not) have this access.
Solution: Ensure that all server certificates do not have the default "Client Authentication" purpose enabled. You can disable this setting on the property pages of the relevant server certificate as follows:
Disable Client Authentication purpose on a certificate
Open the Certificates Microsoft Management Console (mmc) snap-in. To add the Certificate Manager to the mmc, do the following:
- Click Start, and then click Run.
- Type mmc and then press ENTER.
- Select the File menu, and then select Add/Remove Snap-in.
- In the Add/Remove Snap-in box, and then click Add.
- Double-click the Certificates snap-in, select Computer Account, and then click Finish.
- Select Local Computer, and then click Finish.
- Close the dialog boxes.
In the Certificates mmc, click to expand the Certificates node, and then expand Personal.
Right-click the relevant certificate and then click Properties.
On the Details tab, click Edit Properties.
Select Enable only the following purposes, and clear the Client Authentication purpose.
Users logging on with LDAP authentication receive an Error page 500 message
Issue: Users may be entering credentials for which a logon expression has not been created. When you create a LDAP server set in ISA Server, you assign one or more logon expressions to it. These logon expressions ensure that user requests are handled correctly. For example, when you create a logon expression *@contoso.com, a user that enters credentials in the format firstname.lastname@example.org will succeed with the logon. If the logon expression did not exist, then the logon would fail.
Solution: Users must either log on using the format domain\username, or you must create a logon expression to handle the format with which the users logs on.
Users receive error "Password must meet minimum complexity requirements"
Issue: The default domain policy has a value or 1 or greater set for the minimum password age. For example if the minimum value is set to 1, then users cannot change the password more than once in 24 hours.
Solution: Set the minimum password age to 0.
After changing the password in Active Directory, users are still able to authenticate using their old password
Issue: Active Directory allows both the old password and the new password to be used for one hour, to allow for replication.
Solution: To confirm that this is not an ISA Server issues, log off, and then log on again using the old password. For information on a registry key to customize the time, see Knowledge Base article 906305.