Publish OWA and password reminder
-
lundi 27 septembre 2010 06:48
Hello TMG-Admins,
I'm just try to figure out a problem (?) with TMG and the posibility to remind the users that the password gets invalid in X days.
I configured TMG as workgroup member insiode DMZ, LDAP-S is configured and is working fine, i have the posibility to change password if wanted before OWA login.
But i wanted to remind the users X days before the password expires. I set the passwordreminder to 89 days, because domianpolicy forces the passwordchange every 90 days. I changed password 4 days ago, so i should be asked today to change password, but nothing came up. I just get back to technet and found something which sounds strange:
http://technet.microsoft.com/en-us/library/cc984426.aspx:
To configure a Web listener for password change
1. In the Forefront TMG Management console tree, click Firewall Policy.
2. In the details pane, click the applicable Outlook Web Access publishing rule.
3. On the Tasks tab, click Edit Selected Rule.
4. On the Listener tab, click Properties. Alternatively, you can first select a different Web listener from the drop-down list or click New to create a new Web listener for this rule.
5. On the Authentication tab, verify that HTML Form Authentication is selected.
6. On the Forms tab, do the following.
a. Select Use customized HTML forms instead of the default.
b. In Type the custom HTML form set directory, type only the name of the directory, such as MyForms, not its full path.
c.In the Display the HTML form in this language drop-down list, select the applicable language. For example, to ensure that the forms are displayed only in English, select English [en].
d.Select Allow users to change their passwords.
e.Select Remind users that their password will expire in this number of days, and then select the applicable number of days.6a Says to "Use customized HTML" ? Why and what should be the path for the URL ?
Anybody any idea ?
Regards Data
MCSE / MCSA on Windwos 2000 / 2003
Toutes les réponses
-
lundi 27 septembre 2010 10:25
The default form can be selected by using ISA and the Exchange branded one using Exchange in that field.
I wasn't aware that you specifically needed a custom form for this feature though, it is just located on the same page in the GUI.
I would also have thought that a password change reminder like 15 or 7 days before expiry would be better for users...this gives them a bit of warning.
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk -
lundi 27 septembre 2010 10:30
Jason,
a. 89 days was just for testing.. I wanted to see the reminder once, but it doesn't show up at all. Default form selcted but no password reminder comes up on my side.
b. TechNet-Artilce is taht a litle bit confuising or... ?
Maybe i await to much. I understand in the reminder-feature that a pop-up comes up and tells me that my password will expire and x days.
Regards
MCSE / MCSA on Windwos 2000 / 2003 -
lundi 27 septembre 2010 10:49
Hi Data,
It defintely works on a non-customised form.
Have you tried the alternate approach of settings a users password to expire to something less than the default 15 days to trigger the event?
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk -
lundi 27 septembre 2010 10:52
Jonas,
Our Domain is not 2008 Schema so i can only give one password policy.... and that is 90 days.
But when 89 days is not working why 15 days should work ?
The form is not the probel. I beleave that. How will that feature reminds the user .. ? PopUp ?
Regards
MCSE / MCSA on Windwos 2000 / 2003 -
lundi 27 septembre 2010 11:02
You get an additional screen after successful authentication; this prompts the user to change their password...they can change it then or chooce 'Continue' to do it later.
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk -
mardi 28 septembre 2010 21:32
OK...I thought I read somewhere that in order to change passwords you must use LDAP-S, which is fine, however LDAP-S will not provide pop-up notification...is this true? I can change passwords fine as I implemented the LDAP-S configuration as recommended with my root CA and configured as directed for Forefront however I get no pop up. When this product was in beta, I was able to change passwords and get notification using the Windows authentication method for a listener but I can clearly understand the LDAP-S requirement. What could I be doing wrong?
So what exactly gets entered into the box for customized HTML as requested above. I am not referring to an OWA site and this would be for SharePoint and generic web listeners.
One other thing, our policy when an ID is created is to force a password change on first login, will this process also cover that scenario?
Dave Durand -
mardi 28 septembre 2010 23:37
LDAPS is required for password changes, yes.
You don't really get a "pop up", you just get an additional TMG form window after logon when you reach the X days.
I believe that the "change password on first logon" is supported, but could be wrong...
http://blogs.technet.com/b/isablog/archive/2007/08/23/password-change-with-fba.aspx
Make sure you are running SP1 and SP1 Update 1 for the most up to date fixes...
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk- Proposé comme réponse Nick Gu - MSFTMicrosoft Contingent Staff, Moderator jeudi 30 septembre 2010 02:31
- Marqué comme réponse Nick Gu - MSFTMicrosoft Contingent Staff, Moderator vendredi 1 octobre 2010 02:32
-
mercredi 29 septembre 2010 22:47Actually I think what is happening is I'm getting the error stating the password does not meet policy requirements...this is when trying to log in with an expired password or one that needs to be changed on first login. I'll test this again and confirm.
Dave Durand -
samedi 23 octobre 2010 17:17
Hi both,
LDAP-S is definitly needed, but you "WON'T" get any popup, if you set password back in AD-MMC and set the trigger "User needs to change password on next logon". If you set that trigger the User "must" choose change password button on FBA-Screen of TMG. That is what happens on OWA-FBA. Without changing PW you will not have the chance to login. If assitent for LDAP-S is needed give me a note.
Regards Timo
MCSE / MCSA on Windwos 2000 / 2003
.png)
