Re-validate credentials in TAM while changing password

Hello All,
We are using TAM pass-thru authentication for logging into Sun IDM. Sun IDM is able to do passthru authentication once user is authenticated at TAM WebSEAL junction.
But we got a requirement in which user needs to enter his old password ( while changing his password) and we need to validate it against TAM.
I was looking for some out of the box module/solution including the default authenticate method in TAM adapter but it doesn't check for password.
I know this is a common scenario. Did anyone of you faced similar problem. Can you guide me towards a solution for this.
Thanks - Ravi

Hi Steve
Thanks for the reply, that explains it then.
As for the 14071 error, DirectoryServices or PasswordService didn't crash.
It seems it gets this error when doing dsDirCloseNode(), but I'm guessing it was trying to bind with the null LM hash, didn't get the connection, so the reference is invalid when it closes it.
Wonder how Vista does the change password, as I hear they've disable LM completely there ?
Cheers
Alan

Similar Messages

  • Error while changing password after Forgot password

    I have integrated OAM and OAAM in my environment. This issue occurs while accessing a protected resource.
    After clicking on forgot password and correctly answering the challenge questions, when I change the password, it shows me an error message: "There is a technical error processing your request"
    Here is the em console log:
    Reauth failed. authUser=VCryptAuthUser{loginId='user1', bharosaUserId='103', customerGroupId='Default', customerId='32_79fc2a666c32eb4cf1e645777821153d8b5d93a308e4275e351408e3f264f0c1', fullName='null', roles=null, securityPreferences={localeCountry=, status=2, imagePath=$base\keypad\200207091-001.jpg, personalNote=persuasive double, passwordUpdateTime=1358142920306, userType=1, isLocked=false, imageStatus=2, phraseStatus=2, secondFactor=0, passwordStatus=1, localeLanguage=en, email=null, isPinEnabled=false, pinUpdateTime=1358142920306, questionStatus=2, localeVariant=, authType=2, authMode=0, pinStatus=1}}, result=authReult=2, authErrorString=null
    I am working on 11gR2
    Any pointer would be appreciated.
    Thanks,
    Subin

    Were you able to resolve this? I'm seeing the same issue with the same logs.

  • Jython having issue importing weblogic modules for changing passwords

    I am trying to import some WLST modules into a Jython script as outline in the documentation at http://e-docs.bea.com/wls/docs92/config_scripting/config_WLS.html#wp1019971
    The strange thing is that it says it is a WLST script, but it appears to be a Jython script. I tried performing this import using WLST interactive mode, but this did not work.
    I am passing the passwords as encrypted strings while using the encrypt() function
    Here is the script:
    import sys
    from weblogic.management.security.authentication import UserPasswordEditorMBean
    #To be invoked by java -cp /usr/local/bea/wlserver_10.0/common/lib/jython.jar org.python.util.jython
    #usage: wlst.sh ResetWLPassword.py <current_pass> <user> <new_pass> <adminServerURL>
    #{3DES}/asdfadsf== -
    #{3DES}asdfafdsadsf== -
    myPass = sys.argv[1]
    myUser = sys.argv[2]
    newPass = sys.argv[3]
    adminServerURL = sys.argv[4]
    #Connect
    try:
    connect('weblogic',myPass,adminServerURL)
    except:
    print "Could not connect using supplied credentials"
    dumpStack()
    try:
    print "Changing password ..."
    atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
    atnr.changeUserPassword(myUser,myuser,newPass)
    print "Changed password successfully"
    except:
    print "Password change failed"
    dumpStack()
    I am receiving the following error message:
    java -cp /usr/local/bea/wlserver_10.0/common/lib/jython.jar org.python.util.jython /tmp/ResetWLPassword.py "{3DES}/adsfadsfadsf==" weblogic "{3DES}asdfadsfasd== " t3://localhost:7003
    sys-package-mgr: can't create package cache dir, '/usr/local/bea/wlserver_10.0/common/lib/cachedir/packages'
    Traceback (innermost last):
    File "/tmp/ResetWLPassword.py", line 2, in ?
    ImportError: No module named management

    blumo wrote:
    You are calling org.python.util.jython again instead of weblogic.WLST like I advised in my first post. Invoke WLST (not jython) and pass your values in cleartext. Like I said in my previous post, I was able to execute your script without issue when calling WLST and passing cleartext values (I did have to modify one line to due a bug in your script -- see my prior posts).This seems to work in terms of getting the code to run, but there is still a problem with passing the arguments to the changeUserPassword() method.
    I entered the sequence of commands in the script manually into WLST and it works without issue. It even works without the import, which is strange that Oracle includes it in their documentation.
    I am going to post the code here, perhaps there is something wrong syntax-wise with the way I am authenticating, but I can't put my finger on it.
    import sys
    from weblogic.management.security.authentication import UserPasswordEditorMBean
    myPass = sys.argv[1]
    myUser = sys.argv[2]
    newPass = sys.argv[3]
    adminServerURL = sys.argv[4]
    #Connect
    try:
    connect(myUser,myPass,adminServerURL)
    except:
    print "Could not connect using supplied credentials"
    dumpStack()
    try:
    print "Changing password ..."
    atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
    #atnr.changeUserPassword('weblogic','weblogic','12345678')
    atnr.changeUserPassword(myUser,myPass,newPass)
    print "Changed password successfully"
    except:
    print "Password change failed"
    dumpStack()
    throws:
    Connecting to t3://localhost:7003 with userid weblogic ...
    This Exception occurred at Mon Feb 23 11:50:18 PST 2009.
    javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User: weblogic, failed to be authenticated.]
         at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:42)
         at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:773)
         at weblogic.jndi.WLInitialContextFactoryDelegate.pushSubject(WLInitialContextFactoryDelegate.java:670)
         at weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:466)
         at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:373)
         at weblogic.jndi.Environment.getContext(Environment.java:307)
         at weblogic.jndi.Environment.getContext(Environment.java:277)
         at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at javax.naming.InitialContext.<init>(InitialContext.java:197)
         at weblogic.management.scripting.WLSTHelper.populateInitialContext(WLSTHelper.java:498)
         at weblogic.management.scripting.WLSTHelper.initDeprecatedConnection(WLSTHelper.java:551)
         at weblogic.management.scripting.WLSTHelper.initConnections(WLSTHelper.java:303)
         at weblogic.management.scripting.WLSTHelper.connect(WLSTHelper.java:201)
         at weblogic.management.scripting.WLScriptContext.connect(WLScriptContext.java:60)
         at weblogic.management.scripting.utils.WLSTUtil.initializeOnlineWLST(WLSTUtil.java:121)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:160)
         at org.python.core.PyMethod.__call__(PyMethod.java:96)
         at org.python.core.PyObject.__call__(PyObject.java:248)
         at org.python.core.PyObject.invoke(PyObject.java:2016)
         at org.python.pycode._pyx6.connect$1(<iostream>:16)
         at org.python.pycode._pyx6.call_function(<iostream>)
         at org.python.core.PyTableCode.call(PyTableCode.java:208)
         at org.python.core.PyTableCode.call(PyTableCode.java:404)
         at org.python.core.PyTableCode.call(PyTableCode.java:287)
         at org.python.core.PyFunction.__call__(PyFunction.java:179)
         at org.python.pycode._pyx18.f$0(/tmp/ResetWLPassword.py:20)
         at org.python.pycode._pyx18.call_function(/tmp/ResetWLPassword.py)
         at org.python.core.PyTableCode.call(PyTableCode.java:208)
         at org.python.core.PyCode.call(PyCode.java:14)
         at org.python.core.Py.runCode(Py.java:1135)
         at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:167)
         at weblogic.management.scripting.WLST.main(WLST.java:106)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at weblogic.WLST.main(WLST.java:29)
    Caused by: java.lang.SecurityException: User: weblogic, failed to be authenticated.
         at weblogic.common.internal.RMIBootServiceImpl.authenticate(RMIBootServiceImpl.java:116)
         at weblogic.common.internal.RMIBootServiceImpl_WLSkel.invoke(Unknown Source)
         at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
         at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:479)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
         at weblogic.security.service.SecurityManager.runAs(Unknown Source)
         at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:475)
         at weblogic.rmi.internal.BasicServerRef.access$300(BasicServerRef.java:59)
         at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:1016)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
    Could not connect using supplied credentials
    Changing password ...
    Password change failed

  • User cannot change password option is automatically getting unchecked while giving domain admin rights

    user cannot change password option is automatically getting unchecked while giving domain admin rights

    Greetings!
    "Domain Admins" falls into the category of protected groups and it is included in ADminSDHolder process. It is normal and was designed in order to prevent the modification to these privileged groups. More information on the link below:
    AdminSDHolder, Protected Groups and SDPROP
    Regards.
    Mahdi Tehrani   |  
      |  
    www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as
    and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.
    How to query members of 'Local Administrators' group in all computers?

  • Unable to change password while first logon on windows server 2008 R2 SP1 system

    Hi Team,
    Ad team has created new account for me with change password on first logon setting
    When I logged in on Windows Server 2008 r2 SP1 system with my new credentials I get a error message stating that
    "You must change your password before logging on the first time. For assistance, conatct your system administrator or technical support" 
    Concern:
    I do not get password change screen on first logon on the server. How should I change my password on first logon?

    Hi,
    I got resolution for above issue
    Run ==> type "tsconfig.msc" ==> double click "RDP-TCP" ==> change security layer to
    RDP Security layer ==> Apply ==> OK

  • While trying to change password getting ora-00600 [4842] - Plz help

    while trying to change password getting ora-00600 [4842] - Plz help
    database : 9.2.0.4
    o/s : Linux

    Hi,
    when getting an ORA-600 you always should contact Oracle support please ;-)
    To diagnose an ORA-600 the stack trace will be necessary - see the trace file mentioned in the alert.log when the ORA-600 did happen.
    But FIRST OF ALL you should definitely apply patch set 9.2.0.8 and see if this error happens again (metalink.oracle.com ==> PATCHES ==> Quick Links ==> <your platform>). Support will ask you to do the same before they start diagnosing anything in this case.
    And please keep in mind that 9.2.0 has reached end of Premier Support more than 1 year ago.
    Kind regards
    Mike

  • How to disable change password in finder while connecting to a network computer?

    Hi folks,
    I'd like to disable the Change Password option that shows when I want to connect into a network computer:
    - Both users (client and server) are already running with parental controls set to "prevent(s) the user from changing their password in the Users & Groups preference pane".
    Thanks in advance.

    Hi,
    I am also facing the same issue and I am not able to su to root user as the password is expired. and the user I am currently logged in does not have permission to change the root password. I just want to know how I can change the root password now? I am connected to my SPARC Solaris 10 T1000 server through hyperterminal.
    The worst thing is that, I do not have IP to the server through which I can try ssh to the server and change the password. Please let me know the solution if you know.
    Thanks in advance.

  • ISE and AD.. Users Cant login with domain credentials after changing password

    Hello guys,
    I have ISE 1.2 running in a live environment. I have a problem that users cant login after password has expired and changed. i have enabled password change under AD settings and have also checked the allow password change in the allowed protocols settings for PEAP with retries set to 3. 
    thanks for any help i can get in resolving this issue.

    You have the option to allow guests to change password in the portal settings?

  • While changing app store password i deleted the app store icon. now what???

    while changing pass word on my iphone for the app store i deleted the app store icon. now what do i do?

    it's not possible to delete build in apps from ios devices
    unless one somehow alter the firmware in a jailbraking way
    so 1 out of 3 things are likely
    1 you put it in some folder and it's still hiding there
    2 you remove it by adding it to restrictions in settings->general->restrictions
    3 something is rotten in the stake of the Ios firmware memorymap and doing a reboot of the ios device will solve it

  • Change Password in OBIEE 11.1.1.6.2

    Hi All,
    We are giving facility to the end users to change the respective password by logging into BI Publisher 11.1.1.6.2 where the Password Change Mechanism has been provided.So when the user change the password in Publisher then the same change will be reflected in OBIEE also.
    Now we have defined some rules for setting the password on Web-logic Console.SO when you try to change the password that rules should be applied while changing the password.
    Issue is that when you try to change the password in BI Publisher the rules are not getting applied.
    any help in this regard.

    Hi,
    I suggesting you better to go with LDAP athunthication. password changes everthing will be taking care by u r domain ctlr. no more option user to change password in obiee11g. the workaround i too tried it but its required couldn't completed its required webservices and j2ee/.net apexternal application code need to check it u r application code development team.drop me your email i can send my code.after getting this code u need to convert webservices and need to get discriptor jar/war file then need to deployit wia weblogic console.after theat JMX java bean need to run it
    In obiee11g users/roles are taking care by FMW.
    for the LDAP confuguration steps
    http://obieedue.blogspot.com/2012/01/obiee11g-integration-with-ldap-and.html
    Thanks
    Deva

  • I am getting a Changing Password Failed error when I try to join an active directory

    I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
    However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
    2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
    2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
    2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
    2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
    2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
    2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
    2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
    2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
    2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
    2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
    2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
    2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
    2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
    2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
    2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
    2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
    2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
    2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
    2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
    2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

    Reggierror,
    Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

  • Using Jackrabbit User Manager programmatically for changing passwords and getting user data.

    I am trying to do a change password request using the Jackrabbit User Manager with the REST URL /system/userManager/user/<username>.changePassword.json.  The problem I am having is that this request requires an oldPwd form param in the request.  The issue is that when I am trying to do this request it is in response to the user selecting "Forgot Password" so our logic has created a random password which we then email to the user so they can use that the next time they want to login.  We need to change that user's password in CRX so they can log in using it next time.  Since they haven't logged in there is no session, NOT the problem.  THE PROBLEMS, I don't know 1. how to use the userManager to get that user's old password, since /system/userManager/user/<username>.json doesn't appear to return the password and 2. if I could get the old password it most certainly will be encoded, some how, so I will need some decoding algorithm to pass it through in order to get the actual password to set as the oldPwd form param to my change password request.  Please let me know if you require any further explanation.  Any assistance would be greatly appreciated.  Thank you, in advance, for your assistance.
    Sincerely,
    Mike Sucena
    [email protected]

    Hi Mike,
    msucena wrote:
    Justin:
    Does your response mean that until version 2.1.2 of Jackrabbit User Manager is released I cannot change the password without knowing the old password?
    No. It means that this feature is not available in version 2.1.0 of the Sling Jackrabbit User Manager bundle. It was added after that release. You have a number of options:
    Build the bundle from source.
    Use one of the SNAPSHOT bundles available from the Apache Snapshots repository.
    Use the release which is being voted upon now (https://repository.apache.org/content/repositories/orgapachesling-175/org/apache/sling/org .apache.sling.jcr.jackrabbit.usermanager/2.2.0/). (Note - we decided to use 2.2.0 as the version number rather than 2.1.2 as originally planned due to the scope of this release).
    Write a different servlet which performs the same actions.
    Meaning that being able to use either the credentials of the "Admin" user or using the credentials of a member of the "UserAdmin" group is not supported in the current released version 2.1.0?
    Correct. It was added after the 2.1.0 release.
      If I currently need the old password is there any Sling REST - Jackrabbit API call I can use in order to get the old password since using /system/userManager/user/<username>.json doesn't appear to return the password?
    -Mike
    The plain text password is not stored. And this should be considered a good thing.
    If you have questions about the development process we follow in Sling (or at Apache as a whole), by all means ask on the Sling users mailing list. It is reasonably well-established and we love to talk about it.

  • Windows 8.1 Pro not allowing to change password in Domain PC

    Dear MS Team,
    I am facing issue in while Changing AD domain Password in Windows 8.1 Pro. 
    it is giving message 
    "The security database on the server does not have a computer account for this workstation trust relationship. 
    For all 100 to 200 Pc's same error message. 
    even I tested by change on next logon option.
    Earlier there is option to patch remove

    Hi,
    This KB update applies to your DC and need a restart, seems like this is an known issue about October 2013 KB2883201
    You might get whole information about this issue from this old thread
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/991fba6a-c852-4537-b478-1207390d1451/change-a-password-problem-the-security-database-on-the-server-does-not-have-a-computer-account-for?forum=winservergen
    Regards,
    D. Wu
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • ISE 1.1 'Change password on next logon' fails on iPhone / iPad

    Hello -
    We're in the process of implementing an ISE 1.1 server for Guest Wireless Access / BYOD at our company and ran into an issue with authenticating from iPhones / iPads when the account is set with 'change password on next logon' (it's a local account created on the ISE server - not AD). It fails and displays 'unable to join network' on the iPhone. The ISE log shows a '5411: No response received in 120 seconds'. We're able to authenticate from Windows devices and are prompted to change the password during the authentication process. Has anyone else encountered this? If we uncheck the 'change password' box we can authenticate from iPhones & iPads without any issue but we need to have a way for users to set their own password.
    Thanks!
    Bill

    Hi,
    I am encountering the exact same issue in our lab environment, but with AD accounts (We would like customers to be able and connect to the dot1x network with their AD credentials, and based on machine authentication they will or will not get restricted access).
    Just to be clear: the change password functionality works perfect on laptops, but on ipad/android we just cannot connect to the dot1x (PEAP) network when the "change password on next login" checkbox is on.
    Anyone else who can shed some light on this?
    Thanks
    Tom

  • TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

    Hi,
     I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
    My setup is as follows:
    outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
    inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
    password is selected in the publishing rules.
    Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
    I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
    set in AD.
    If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
    and change my password using the correct URL. However if I point my browser at
    http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
    The only recent changes made are:
    - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
    - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
    Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
    I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
    http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
    If I try to use ldp.exe on the inner TMG, I get the error in the pic below
    Thanks
    IT Support/Everything

    Hi,
    You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
    TMG 2010 – FBA, troubleshooting the change password feature 
    http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
    Best Regards,
    Joyce

Maybe you are looking for