Configuring the change password feature

Configuring the change password feature

The change password feature is supported when clients supply credentials by using forms-based authentication, and Forefront TMG authenticates clients by using either of the following methods:

  • Authentication with validation of client credentials by Active Directory on a domain controller.
  • Authentication with validation of client credentials by an LDAP server.

Note that both Active Directory and an LDAP server use the LDAP protocol for communication. Before configuring this feature, verify the following:

  • The connection to the LDAP server or Active Directory on the domain controller must be over secure LDAP (LDAPS). To use a secure LDAP connection, a server certificate must be installed on the domain controller. The common name on the certificate must match the fully qualified domain name (FQDN) that you specify for the authentication server.
  • The Forefront TMG computer must have the root certificate of the certification authority (CA) that issues the server certificate in the Trusted Root Certification Authorities store for the local computer.
  • When using LDAP authentication, you must create an LDAP server set containing the LDAP servers that will be used to authenticate users. Configure the following settings for the LDAP server set:
    • Enable connecting to the LDAP server over a secure connection.
    • Specify an FQDN for the LDAP server name. Ensure that the FQDN matches the common name specified on the server certificate installed on the LDAP server (domain controller).
    • Disable querying of the global catalog (GC).
    • Specify the domain in which user accounts can be identified and specify the details of an account that will be used to bind to the LDAP server and to query the credentials of logged-on users.
    • An account is required to bind to the authentication server and verify user name and password status. In the case of domain authentication, this must be a domain account with privileges to make changes to Active Directory.

To create an LDAP server set

  1. In the Forefront TMG Management console tree, click Web Access Policy.

  2. On the Tasks tab, click Configure LDAP Server Settings.

  3. On the LDAP Servers tab, click Add to open the Add LDAP Server Set dialog box.

  4. Provide a name for the LDAP server set.

  5. Click Add to add each LDAP server name, description, and time-out period. The time-out period is the time, in seconds, during which Forefront TMG will try to obtain responses from an LDAP server before trying the next LDAP server in the ordered list. Note that you can change the order in which the servers are accessed by using the UP ARROW and DOWN ARROW keys.

  6. In Domain, provide the fully qualified domain name (FQDN) for Active Directory. Note that this is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.

  7. Select Use Global Catalog needs to query the global catalog on the LDAP server.

  8. Select Connect LDAP servers over secure connection if you want to encrypt the LDAP communication (use the LDAPS protocol).

  9. You can type the credentials used to connect to Active Directory for verifying user account status and changing account passwords. This enables you to have password management functionality for HTML form authentication. For more information, see Form preferences.

  10. Click OK to close the Add LDAP Server Set dialog box.

  11. In Login Expression, click New to add a login expression. A login expression allows you to assign an LDAP server set to a specific group of users. For example, you can assign one LDAP server set to the users FABRIKAM\*, and another LDAP server set to the users CONTOSO\*. Forefront TMG attempts to match the login expressions in the listed order. You can change the order using the UP ARROW and DOWN ARROW keys.

  12. Click Close.

  13. In the details pane, click the Apply button to save and update the configuration, and then click OK.

Notes

  • For more information about authentication in Forefront TMG, see Overview of client authentication.
  • When configuring Forefront TMG for LDAP authentication, the configuration of the LDAP servers applies to all rules or network objects that use LDAP authentication.

Configuring a Web listener for password change

For the Web listener associated with an Outlook Web Access publishing rule that uses forms-based authentication, use the following procedure to allow users to change their password.

To configure a Web listener for password change

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. In the details pane, click the applicable Outlook Web Access publishing rule.

  3. On the Tasks tab, click Edit Selected Rule.

  4. On the Listener tab, click Properties. Alternatively, you can first select a different Web listener from the drop-down list or click New to create a new Web listener for this rule.

  5. On the Authentication tab, verify that HTML Form Authentication is selected.

  6. On the Forms tab, do the following.

    1. Select Use customized HTML forms instead of the default.
    2. In Type the custom HTML form set directory, type only the name of the directory, such as MyForms, not its full path.
    3. In the Display the HTML form in this language drop-down list, select the applicable language. For example, to ensure that the forms are displayed only in English, select English [en].
    4. Select Allow users to change their passwords.
    5. Select Remind users that their password will expire in this number of days, and then select the applicable number of days.
  7. Click OK, and then click OK again to close the dialog boxes.

  8. In the details pane, click the Apply button to save and update the configuration, and then click OK.

After configuring the Web listener for the Outlook Web Access publishing rule correctly, users logging on by using forms-based authentication are warned if their password is about to expire, and they have an opportunity to change their password before and after it expires.