Solved

Can't authenticate via IIS with User Must Change Password at next Logon

Posted on 2009-03-31
14
841 Views
Last Modified: 2012-05-06
Hey Experts,

I'm having an odd issue. A coworker installed sharepoint on an IIS server and I'm not sure what else was done, but now no users can authenticate via ANY IIS server when the User Must Change Password at next Logon is selected. Otherwise it authenticates fine. I thought it might have been because he wiped out the IISADMPWD feature on that one partifuclar server, but no IIS server allows me to authenticate/change password anymore. please advise!
0
Comment
Question by:njmatt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24030306
This behaviour is by design.  Once a password expires, access to all domain resources is chopped.

The user would have to logon to the domain first, and set their new password in order to access the sharepoint server.

Once they've done this, there should be no authentication prompt.
If a user is working remotely,....you can set the password for them, and they can continue normally.
0
 
LVL 1

Author Comment

by:njmatt
ID: 24030446
Understood, but it has always prompted for a password-change up until recently right within the browser using IISADMPWD.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24030732
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 
LVL 1

Author Comment

by:njmatt
ID: 24031973
thanks. I just discovered that Firefox gets the change password screens, but IE does not and fails to authenticate. Any ideas what would cause this now?
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24031983
Try putting it in the trusted sites zone,...or allowing popups for the sharepoint site.
0
 
LVL 1

Author Comment

by:njmatt
ID: 24032140
OK that allowed me to the change password screen in IE. I've now narrowed it down to the wildcard application maps (JRUN) that do not forward you to the password change screen. ???
0
 
LVL 1

Author Comment

by:njmatt
ID: 24032163
that is, in IE only. firefox everything works. IE everything works except the wildcard apps (domain.com/app)
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24032267
Since the wildcard mappings for CGI apps are working without issue in Firefox, it's implied to me that this is probably some security setting in IE.  I would think if it were a configuration error on the server that it wouldn't work at all.

agree ?

So at least we have it popping up now....  but the obvious question remains...  what has changed ?
Any windows updates that were recently applied ? Group policy changes ?

Just as a test...temporarily lower your security level on the trusted sites zone.  Set it all the way to low and give it a try.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24032359
after the password prompt...what page error number are you getting right now if any ?

0
 
LVL 1

Author Comment

by:njmatt
ID: 24032403
HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.
Internet Information Services (IIS)
0
 
LVL 1

Author Comment

by:njmatt
ID: 24032407
it also should be locking me out for so many failed attempts, but it does not
0
 
LVL 1

Author Comment

by:njmatt
ID: 24032546
to further complicate things I just tried logging into outlook web acces on a competely different IIS server and it has the same behavior with "Error: Access denied"
what dot he wildcard apps and OWA have in common?
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 500 total points
ID: 24032573
401.2 Denied by Server Configuration
This error indicates that the web server is configured to require certain authentication protocols for communication, but the browser failed to use any of those authentication protocols. The corrective action should be to either configure to require an authentication protocol acceptable to the client, or use a client that satisfies the server authentication protocol requirements.

Obviously a browser issue.

David Wang is a genius....read this.
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

See the attached pic.... what does you settings in IE look like ? and is it controlled by group policy or no ?
IE-Advanced-Settings.JPG
0
 
LVL 1

Author Closing Comment

by:njmatt
ID: 31564889
thanks!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question