none
Exchange 2010 with TMG - OWA Expired Password issue

    Question

  • When we setup a new user account, we check the box under account setting "use must change password at next logon"  The problem is when the user logs on to a computer with a generic account and then tries to log in to OWA for the first time, they get

    You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again.

    If we remove the the check from the account setup they login just fine.

    Anyone know where the issue could be.

     

    Thanks

     


    Monday, January 09, 2012 10:33 PM

Answers

  • Hi Kevin,

     

    If OWA can change password from internal, we need to TMG back to change password page and allow users change password.

     

    You can refer to following article to resolve it.

     

    OWA Password Reset Tool and TMG

    http://www.uclabs.nl/archive/jaapwess/2011/11/05/owa-password-reset-tool-and-tmg/#comment-1273

     

    You can also run hotfix instead of manual configuration

     

    The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 or if you use Microsoft Threat Management Gateway 2010

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;957859

     

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

     

    Wendy

     

    Thursday, January 12, 2012 3:30 AM

All replies

  • Yeah, don't do that.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Monday, January 09, 2012 10:54 PM
  • Hi Kevin,

     

    If you haven't enabled changing expired passwords and are using forms-based authentication, a user who must change their password will be returned to the sign-in page, and the following error message will be displayed: The user name or password you entered isn't correct. Try entering it again. If forms-based authentication isn't used for Outlook Web App, the user will be returned to the sign-in window but won't see any error message.

     

    The detail information please refer to the following link:

     

    Configuring the Change Password Feature in Outlook Web App

    http://technet.microsoft.com/en-us/library/bb684904.aspx

     

     

    Wendy

    Tuesday, January 10, 2012 10:04 AM
  • We have enabled changing expired passwords on the TMG and are using forms based auth. 
    Tuesday, January 10, 2012 9:44 PM
  • Hi Kevin,

     

    Please do the following steps:

    1. Log on to the Client Access server.
    2. Start Registry Editor (regedit).
    3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
    4. Create the following DWORD value if it doesn't already exist: ChangeExpiredPasswordEnabled. The value type will be REG_DWORD.
    5. Set the value of ChangeExpiredPasswordEnabled to 1.
    6. Exit Registry Editor

    7.       Restart the Internet Information Server using IISRESET.

    Verify if achieve the goal from internal without TMG. It is ok in my lab.

    Verify external with TMG. If it can’t change password, please install update for TMG.

     

    FIX: You cannot change an expired password in an intranet Web application that is published by using Forms Based Authentication and LDAP authentication in ISA Server 2006 or in Forefront TMG 2010

    http://support.microsoft.com/kb/978970

     

    And you can also refer to the following article with similar issue.

    http://blogs.dirteam.com/blogs/davestork/archive/2011/11/05/can-t-change-owa-password-at-first-logon-via-threat-management-gateway.aspx

     

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Wendy

     

    Wednesday, January 11, 2012 6:57 AM
  • The Registry part we have done, but let me check on the Hot fix http://support.microsoft.com/kb/978970  and I will update with what I find.
    Wednesday, January 11, 2012 2:30 PM
  • Our scenario:
    • We have OWA published by using Forms Based Authentication and Lightweight Directory Access Protocol (LDAP) authentication in Microsoft Internet Security  Microsoft Forefront Threat Management Gateway (TMG) 2010.
    • We enable the Allow users to change their password option in the Web listener.

    We try to log on to OWA by using an expired password, and it does not go to the change password page, it displays this "You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again"

    We are also on TMG 2010 Sp2   and Exchange 2010 SP2

    Below is a image of what happens after the correct password is entered.

     

     

    Wednesday, January 11, 2012 3:35 PM
  • Hi Kevin,

     

    If OWA can change password from internal, we need to TMG back to change password page and allow users change password.

     

    You can refer to following article to resolve it.

     

    OWA Password Reset Tool and TMG

    http://www.uclabs.nl/archive/jaapwess/2011/11/05/owa-password-reset-tool-and-tmg/#comment-1273

     

    You can also run hotfix instead of manual configuration

     

    The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 or if you use Microsoft Threat Management Gateway 2010

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;957859

     

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

     

    Wendy

     

    Thursday, January 12, 2012 3:30 AM
  • Had similar problem, was able to change the password locally through EMC console but not through TMG. Same configuration, TMG in a domain but this particular Exchange 2010 is located in other domain so I established on the Listener LDAP. To resolve the problem the following settings should be in place:

    Listener (Authentication tab -> LDAP -> Configure Validation Servers):

    • Use Global Catalog (GC) unticked
    • Connect LDAP servers over secure connection ticked
    • User credentials used to access Active Directory to verify user account status and change account passwords (optional): fill up user account with delegated "change password" permissions - my key resolution
    • Login Expression: * - UPN login in use

    Listener (Forms tab):

    • Allow users to change their password ticked
    • Remind users that their password will expire in this number of days ticked 7

    Authentication Delegation - depends of Exchange config, in my case NTLM

    Users: All Authenticated Users (or custom namespace)

    Hope it helps!

    Friday, February 01, 2013 4:56 PM