Hello,

I have this configuration:

TMG 2010:

    member of forest domain A

    FBA with ldap/Enable change password

CAS 2010:

     ChangeExpiredPasswordEnabled is 0

     member of domain forest B

AD 2003 (forest domain B):

   Trust relationship between the forest A et B is set (bidirectional)

   ADDefaultDomainPasswordPolicy have the values

            MaxPasswordAge              : 00:00:00
            MinPasswordAge              : 00:00:00

The issue:

My account is not expired because i can log on to all ressources BUT:

when i try to log on the owa from TMG, it considers that my passwords expired and need to be changed and ask me to change it. BUT, when i try to log on the owa directly (internal), the owa doesn't ask me to change my password.

When i check AD attributes associated to my account, ms-DS-User-Account-Control-Computed attribute is Password_expired and userAccountControl is set to 512 (normal account).

When, i check in the Account options , Password never expires, the Tmg does'nt asks me to change my password. so, the attribute ms-DS-User-Account-Control-Computed is set to 0 and userAccountControl is set to 10200 (normal account/don't expire the pasword).

i wonder if TMG check the ms-DS-User-Account-Control-Computed  attribute ? it requires to set for all users account Password never expires on account options in order to not have this behaviours on TMG ?

did you have any idea ?

Regards