I recently wrapped up a large TMG deployment in support of a new
Exchange 2010 resource forest and there were a lot of lessons learned
(read: issues that needed to be overcome), so I figured I would try to
capture the main ones for the blogosphere.
Part 2 of 3 – OWA Login Issues (Account is Disabled??)
This article assumes a fairly decent knowledge of both TMG and Exchange. It is not meant to be a detailed step-by-step configuration guide. All steps should be tested prior to production rollout.
This particular issue started happening when I enabled the ability for users to change their passwords from the TMG login page. Immediately after that, when logging on to OWA with an account from the account forest (which is the account connected to the Exchange 2010 Linked Mailbox), TMG says the account is disabled (and it’s not). One of the key items here is that the sAMAccountName is the same on both accounts.
I found a KB article about the exact same issue but for ISA. The issue is in the additional things TMG does behind the scenes during login to determine password age and expiration. It stops on the first account it finds, which is the one in TMG’s local domain, which is in fact disabled as it is in the resource forest, so you are denied. To verify, we turned off the password stuff in TMG and it began to work properly again. The fix for the ISA issue was to apply a hotfix, then run a script to enable the new functionality. Since TMG uses the same code base as ISA, I made the assumption that the hotfix code was already part of TMG and all we would need to do is run the script. The assumption turned out to be correct, just run the script in the KB article below on your TMG servers. I think you only need to run it on one server in each array (didn’t make a note of that), but it won’t hurt to run it again on each node.
Associated ISA KB: http://support.microsoft.com/kb/952675
Part 2 of 3 – OWA Login Issues (Account is Disabled??)
This article assumes a fairly decent knowledge of both TMG and Exchange. It is not meant to be a detailed step-by-step configuration guide. All steps should be tested prior to production rollout.
This particular issue started happening when I enabled the ability for users to change their passwords from the TMG login page. Immediately after that, when logging on to OWA with an account from the account forest (which is the account connected to the Exchange 2010 Linked Mailbox), TMG says the account is disabled (and it’s not). One of the key items here is that the sAMAccountName is the same on both accounts.
I found a KB article about the exact same issue but for ISA. The issue is in the additional things TMG does behind the scenes during login to determine password age and expiration. It stops on the first account it finds, which is the one in TMG’s local domain, which is in fact disabled as it is in the resource forest, so you are denied. To verify, we turned off the password stuff in TMG and it began to work properly again. The fix for the ISA issue was to apply a hotfix, then run a script to enable the new functionality. Since TMG uses the same code base as ISA, I made the assumption that the hotfix code was already part of TMG and all we would need to do is run the script. The assumption turned out to be correct, just run the script in the KB article below on your TMG servers. I think you only need to run it on one server in each array (didn’t make a note of that), but it won’t hurt to run it again on each node.
Associated ISA KB: http://support.microsoft.com/kb/952675
No comments:
Post a Comment