When password is about to expire in X days, forefront gateway won't let user in OWA

This one has had me scratching my head for a while...
When any user who's password is due to expire within the warning window (windows popup saying password will expire in 14 days or less) tries to login to Outlook Webapp from "outside" the domain, ie. from home, the forefront TMG won't allow him in. It says make sure your username, domain, or password is correct. Does that make sense? We've had quite a few hands on our exchange servers over the last year. Not sure when exactly it broke. Any helpful hints would be greatly appreciated.
LVL 1
mauisunAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

scrabyCommented:
where are they getting the message "make sure your username,domain, or password is correct" ?  are they getting to the owa page and then getting the error there?  if they are getting to the page then i don't think tmg is going to have anything to do with it since the login page is already served

if that is the case then i would be looking more in iis settings
0
mauisunAuthor Commented:
Thanks for your comment...
when I go to webmail and see the owa login page, I type in my credentials and a forefont page comes up telling me to try again.
This only happens if my password is due to expire within our 14 day window.
0
scrabyCommented:
this one is over my head....i searched the web and found lots of stuff about already expired password but nothing about expiring passwords.  reading a bit, i would check permissions and authentication under your publishing rules in tmg.  there are lots of mentions to use form authentication.  here's a somewhat similar question on experts

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27608346.html

it seems as though an expriring password is not authenticated using tmg.  this is the users ad domain password correct?
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

mauisunAuthor Commented:
that is correct.
0
scrabyCommented:
can they log into owa internally with the expiring password?
0
mauisunAuthor Commented:
I'm looking at our TMG. we have a rule to allow for OWA. it is set for html forms auth with ldap.
0
mauisunAuthor Commented:
yes.. they can log in internally without issue.
0
mauisunAuthor Commented:
they never touch the TMG from the inside.
0
scrabyCommented:
is the tmg box member of your domain?
0
mauisunAuthor Commented:
no. It has two nics. one on the inside and one out.
0
mauisunAuthor Commented:
I'm looking at the links that were posted. It looks like we have it right. The only difference is ldap versus ad auth.
0
scrabyCommented:
how is it checking user credentials with ad if it's not a member?
0
mauisunAuthor Commented:
it has an owa rule that passes authentication to specified DC's.
0
mauisunAuthor Commented:
http://www.isaserver.org/articles-tutorials/configuration-general/Publishing-Outlook-Web-Access-Microsoft-Forefront-TMG.html

shows how to do it.
we have everything the same more or less minus the fact we are using windows ldap to authenticate instead of windows ad.
0
scrabyCommented:
not sure about the last comment, it's my understanding that ldap is the protocol to query ad.  are you using an ldap listener?  if you are then check in the properties of it to see if there is a mention of expiring password

i know enough to ask questions to maybe give you some ideas
0
mauisunAuthor Commented:
I'll get to checking
0
mauisunAuthor Commented:
Here's something odd...
In forefront on the access rule, under forms I have it set to remind users of expiring passwords 7 days out. GPO says 14. Test user could log in. His password expires in 12 days. When I change the form reminder to 14 or 13 days, he could log in. When I change it to 12, he can not.
0
mauisunAuthor Commented:
correction:
his password expires in 10 days...

with the TMG form password reminder settings in the following I get the results listed:
days | login result
15 - no
14 - no
13 - no
12 - no
11 - no
10 - no
9 and below - yes
0
mauisunAuthor Commented:
I have just changed the setting to 1 day on the TMG. In OWA, it notifies the user at the top that their password will expire in X days.

Thanks for your help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
scrabyCommented:
good find !
0
mauisunAuthor Commented:
I accepted my own comment as the solution because I figured out the error. However, I gave points "scraby" as one of his posts led me to research a different area.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.