Rod Payne, on the ISAserver.org message boards (http://forums.isaserver.org/m_2002027432/mpage_3/tm.htm), brings up an interesting problem, and from what I can tell, an undocumented "problem".
In Rod's words:
"With the help of all of the experience posted here thus far, I have reached the point where almost everything is working. The last problem I have is that if "user must change password at next logon" is set, they are not prompted to reset the password when logging in using FBA. Instead, they are returned to the logon page and have the message, "You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again." Not much of a clue for the user. I assume that the same thing will happen with a naturally expiring password (but it is harder to create a test case).
If they first select "I want to change my password after logging on", then they get the password change screen and they can change their expired password and log on.
Since password changes work, even on expired accounts, it looks like everything is set up correctly for LDAPS, certificates, web listener, etc.
When someone attempts to log on using an expired password, is it supposed to go to the change password page and have them change it, or are they supposed to know (somehow) that it is expired and that they need to check the "I want to change my password after logging on"?"
It does sound like a problem, since I know in the past that users were presented with information that they needed to change their passwords when their passwords expired. I made a few guesses trying to figure out what the problem was, but then Rod said that PSS told him that this behavior was "by design" and the case was closed. It seemed interesting that it was "by design" because there was no evidence of this behavior when the product was designed (ie, RTM) 🙂
Jim Harrison jumped in and clarified things:
"ISA 2006 SP1 did change this behavior for FBA using LDAP as the credentials authority.
As CSS said, this is to help guard against auth attacks. If the attacker receives a "you must change your password" response, 1/2 the battle is won because he knows that the account is valid.
When ISA is allowed to participate as a domain member, it can use Windows calls to verify the account password status.
It's not possible for ISA to validate the account password status when using LDAP as a credentials authority and so only a valid logon is allowed to change a password."
So there you go. If you didn't know about this, you do now. If you haven't read this, you probably won't know because there no information about this change in the ISA 2006 SP1 doc 🙂
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)