Users in remote forests cannot change their passwords through ISA Server 2006 or Forefront Threat Management Gateway 2010
“Consider the following scenario:
- You have a server that is running Microsoft Internet Security and Acceleration (ISA) 2006.
- You configured a Forms Based Authentication (FBA) listener by selecting HTML Form Authentication on the Authentication tab.
- The listener is configured to let users change their passwords.
- You used the functionality that is described in Microsoft Knowledge Base article 952675 to enable ISA 2006 to search for the user in multiple domains. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
952675 (http://support.microsoft.com/kb/952675/ ) You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains
- The account for the user who tries to log on is located in a domain in a remote trusted forest.
In this scenario, users cannot log on if their password is expired or if the account is set to User must change password at next logon. Error 1907 (ERROR_PASSWORD_MUST_CHANGE) is logged in the web proxy log…”
For other scenarios and fixes, check out the KB article over at http://support.microsoft.com/kb/2618727/
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)