Allows users to change their password and change password at next login with TMG
I have a sharepoint 2005 server running that I am publishing through TMG. This sharepoint site is for client and partner access so I would like to setup AD accounts for those users and set their AD accounts to "User must change password at next
logon". The web listener I'm using is form based. The TMG server is on domainA.com and the server i'm publishing is on a sub of that domaing clients.domainA.com. The auth servers are active directory. Currently nothing works for password management
with this particular site. I can't even click change password and create a new password at login through the forms with TMG. I continue to get a password complexity requirement error even though there are no password complexity requirements. Any ideas here?
March 5th, 2012 2:47pm
Does anyone have any ideas regarding this?
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2012 3:06pm
Do your domain controllers have certificates to accept LDAPS connections from TMG?
March 8th, 2012 12:54am
What certificate do they need? Is there any configuration on TMG that is needed or ports that need to be opened to support this if there is a firewall between TMG and the domain controller being used to authenticate to?
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 8:19pm
Each domain controller with need a server authentication certificate; these can be from an internal CA or a public/third-party CA.
If you have a firewall deployed, you will need LDAPS (TCP636) open between the TMG servers and the domain controllers, in addition to LDAP (TCP389).
Cheers
JJ
March 8th, 2012 11:40pm
So I added the cert to the domain controller that is used is used for authentication requests for that particular site and it still doesn't work. Let me explain the setup here and perhaps that will shed some light on things. I have one root domain which
is domain.com and a sub domain of that which is clients.domain.com. This particular site uses clients.domain.com to authenticate its users. The web listener is currently being used for both domain.com and clients.domain.com. I placed the new cert on the clients.domain.com
server in the personal store and opened port 636 (LDAPS) to that DC. TMG has been joined to domain.com. So if I watch the traffic once I try to sign onto the sharepoint server I hit the form based auth page no problem. If I have the user account I try and
login with set to change password at next logon and I watch what actually happens. TMG goes to the domain.com server on port 636 not to the clients.domain.com server? Should I have placed the dc auth cert under that servers personal store instead of under
the personal store of clients.domain.com? Once I see that initial traffic going to domain.com servers, then I see the auth (port 88) going to clients.domain.com server. What are your thoughts here?
March 9th, 2012 10:16pm
Hi Justin
I have the same problem with publishing a SharePoint 2013 site through TMG - accounts with "user must change password at next logon" checked cannot access the SP site to enable them to change password, despite the site having Anonymous Access.
Did you ever reach a resolution?
Mark J
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 6:15am