locked
Users cannot change their password via UAG if there is a German Umlaut like ä,ö,ü in their distinguished AD name RRS feed

  • Question

  • We are running Microsoft Forefront TMG UAG 2010 on a Windows Server 2008 R2 Datacenter, TMG SP1, UAG Update 1 & 2, all patches applied.

    External users can access over a portal trunk applications inside our domain. They get correctly authenticated through our AD. But users cannot change their password via the UAG portal trunk if there is a German Umlaut like ä,ö,ü in their distinguished AD name.
    Example:
    CN=Mueller\, John, CN=Users,DC=... can change his password
    CN=Müller\, John, CN=Users,DC=... cannot change his password

    Note, that inside the NTUser name the users use to logon we do not use German Umlaute, so it is JMueller for Müller, John.

    The error in the Security log of UAG is:

    The user domain\\JMueller failed to change a password on trunk portal (secure=1) using authentication server German Branch. The source IP address is 111.111.111.111. The session ID is %[SessionId%]. The error code is There is no such object on the server. -- Extended Error --- LDAP Provider : 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=...' .

    So obviously UAG does not find the user object in our AD if it contains a German Umlaut in its DN.

    There is an easy way to verify this:
    If we open the Forefront UAG Management console and edit our Authentication Server Base DN to point directly to an user object and then try to apply the setting, we get two different messages depending if there is an Umalut in the DN or not.

    If there is no Umlaut in the name, like Base DN CN=Mueller\, John, CN=Users,DC=... the message is correctly:
    Cannot locate any users or groups ... Enter a different Base
    because of course it cannot find any users below this folder. But the Base is identified.

    If there is an Umlaut in the name, like Base DN CN=Müller\, John, CN=Users,DC=... the message claims:
    The value of Base DN is invalid. Error mesage: No such object...
    It does not even find the folder!

    What we already tried is, to use different System Locals for our Windows Server 2008 R2 Datacenter. We tried from the scratch (already during the installation of the server) as well US English as German localization. But this does not change the behavior.

    We also verified with ldp.exe that all user objects are accessible from our UAG server.

    At last we wrote a little ps script to change a password and executed it on the UAG server. The password could be changed for any user.

    So it seems that the problem is with Forefront UAG and the way, it queries AD.

    What can we do?

    Friday, November 12, 2010 10:53 AM

Answers

  • Hi all,

     

    This seems like an issue which we have encountered already and which is fixed in the upcoming Service Pack 1 for UAG. If you wish you give it a try, you can download the Release Candidate of SP1 for UAG from the Microsoft Download Center, here.

     

    If you need a more immediate solution for UAG Update 2, I recommend you open a case with Microsoft Support, and we might be able to help you.

     

    Regards,


    -Ran
    • Marked as answer by Technetuser100 Tuesday, November 16, 2010 10:55 AM
    Tuesday, November 16, 2010 10:31 AM

All replies

  • Hello

    I'm having also this same problem. Have you found any other solution than to create ps-script which does the job? Have you attachted the script some to inc- or asp -file?

    Thanks

    -teemu

    Tuesday, November 16, 2010 8:36 AM
  • Hi all,

     

    This seems like an issue which we have encountered already and which is fixed in the upcoming Service Pack 1 for UAG. If you wish you give it a try, you can download the Release Candidate of SP1 for UAG from the Microsoft Download Center, here.

     

    If you need a more immediate solution for UAG Update 2, I recommend you open a case with Microsoft Support, and we might be able to help you.

     

    Regards,


    -Ran
    • Marked as answer by Technetuser100 Tuesday, November 16, 2010 10:55 AM
    Tuesday, November 16, 2010 10:31 AM
  • Thank you Ran, this sounds quite good.
    Tuesday, November 16, 2010 10:56 AM
  • ... and it works! I just finished a test installation.
    Tuesday, November 16, 2010 1:17 PM
  • Glad to hear it!
    -Ran
    Tuesday, November 16, 2010 2:32 PM
  • hi all

    we've exactly the same problem/situation like "Technetuser100".

    we installed UAG SP1 but the problem still exists and the error in the security log of UAG is still the same:

    ...LDAP Provider: 0000208D NameErr...problem 2001 (NO_OBJECT)...

    any other ideas?

    best regards

    Wednesday, May 18, 2011 9:51 AM
  • Hi,

    we have the problem at a customer (even with SP1 Update-1) that you cannot login with a german Umlaut in your password. Changing the password seems to be fine. Another problem seems to exist with the €-sign as the out of the box ruleset does not allow this.

    Any ideas? I guess we need to talk to the MS support about this.

    Best regards

    Thomas

    Thursday, July 7, 2011 12:41 PM
  • Hi Thomas,

    Any progress with the problem in your environment?

    My problem still exists.

    Best regards

    Monday, August 8, 2011 8:18 PM
  • Hi

     

    Do you still have problem with passwords? I do. Users are using äö-characters and some special characters. Actually in my case there is Radius-server which does the actual authentication.  I wonder if it's possible to configure code character set in UAG which it uses to send password over radius.

    br

    -teemu


    br -teemu
    Tuesday, September 6, 2011 11:39 AM
  • Hi Teemu,

    last week we've identified a special character login.asp bug which occours when UAG-to-RDRemoteAPP SSO gets activated. Is this the case in your specific scenario?

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/5189fc0d-bc96-4e67-b847-e26c6038bc5f

    -Kai

     

    Tuesday, September 6, 2011 2:13 PM
  • Hello

     

    Actually not. My problem occurs when UAG is configured to use RADIUS repository for authentication. My configuration at the moment is UAG, Microsoft NPS server as radius and with these i cannot use these characters in password: ÄäÖöÜü +?ß!"§$%&/ .


    br -teemu
    Thursday, September 15, 2011 6:34 AM