Hi All,
spent last weak troubleshooting this issue and at the end just had to rollback the change as I was unable to find a solution to this.
Environment before change:
Two domains with external trust. TMG SP2 and Win2008SP2 DCs in Domain1, Exchange 2010 SP2 RU5v2 CAS aray and Win2008R2SP1 inDomain2. TMG is single NIC.
OWA rule which allows "All Users". Authentication delegation - Clients may authenticate directly. Listener: FBA - Active Directory.
On CAS FBA authentication. Forms tab set for "Exchange", password change checked.
Users from Domain1 and Domain2 can authenticate and use OWA without problem, and when administrator set "must change password on next logon" they are prompted for a change and change password via OWA.
Environment after change:
OWA rule has been changed. Authentication delegation changed to Basic and "all users" changed to Global Security groups from both domains. This was done to pre-authenticate users on TMG and filter access to OWA based on group membership. In addition OWA and ECP on Exchange CAS has been changed from FBA to Basic to match the TMG delegation method.
After this change all works fine, users from both domains can log to OWA and use mailbox, however users from Domain2 are unable to change their password by using OWA forms options or when admin sets "must change pass on next logon" on account.
Troubleshooting:
So we read all about it and checked if LDAPs is configured correctly as based on MS articles this OWA pass change is happening over LDAPs even when its FBA with AD Windows Integrated pre-authentication on listener. root CA from Domain1 and Domain2 is in Trusted cert store on TMG as well as Issuing CA are in Intermediate cert store. All DCs got their computer certificates in their personal certification stores. LDAPs test from TMG is successful to all DCs.
We did packet capturing for Domain1 users and we can see that password is being changed via LDAPs.
We did packet capturing for Domain2 user and we can see that Kerberos protocol ends up with kerberosv5:KRB_ERROR - KDC_ERR_KEY_EXPIRED (23). No communication initiated after that from TMG. When running diagnostic logging on TMG it ends up with this:
375716 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy The Web publishing rule OWA requires client authentication.
375717 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy Forefront TMG denied the request with the following error: 0x00002FB1.
375718 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy Forefront TMG completed checking the policy rules for the Web request.
375719 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy Forefront TMG tries to authenticate connected client
375738 1.3.2013 11:59:16 0d2f135a 0d2f135bWeb Proxy User authentication failed. The request was denied because the password for user USER1 expired. To resolve this problem, the user must request a new password in Active Directory.
375739 1.3.2013 11:59:16 0d2f135a 0d2f135bWeb Proxy Forefront TMG rejected the request with the HTTP status code 0 and will return the following error message to the Web client. "The user's password must be changed before logging
on the first time. (1907)"
Basicaly TMG just informs User from Domain2 that password needs to be reset but did not offer chance to change it as it does for user from Domain1.
Any ideas? Thanks.