TMG2010 SP2 with rollups
Exchange 2010 latest SP
Win 2008 R2
Multiple forests, exchange in resource forest with users in another forest (2 way trust)
If users in either the resource forest or other trusted forests have a password which has not expired or does not need changed at next logon the users can logon fine, they can then use the OWA control panel to change their password if they wish.
When attempting to logon to OWA via TMG (which then forwards to the CAS servers (x2)) for a user in the resource forest who has the password set to change at next logon it allows us to change the password no problem. However...
When attempting to logon to OWA for a user in a separate forest who's password has expires or has the option set to require a change of password at next logon it does now allow the change and instead tells us
"You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."
I have been researching for hours and found various alleged fixes so here is what we have tried...
On the CAS servers: Enabling ChangeExpiredPasswordEnabled and resetting IIS
On the TMGs: http://support.microsoft.com/kb/957859 and http://support.microsoft.com/kb/2618727 and also http://www.jaapwesselius.com/2011/11/05/owa-password-reset-tool-and-tmg/ and also ensuring that the appropriate certificates from the domain controllers are installed...
So im not sure where to go next... given that it works for resource forest test users is it something to do with multiple forest scenario?
Thanks
Gary