I have a sharepoint 2005 server running that I am publishing through TMG. This sharepoint site is for client and partner access so I would like to setup AD accounts for those users and set their AD accounts to "User must change password at next logon". The web listener I'm using is form based. The TMG server is on domainA.com and the server i'm publishing is on a sub of that domaing clients.domainA.com. The auth servers are active directory. Currently nothing works for password management with this particular site. I can't even click change password and create a new password at login through the forms with TMG. I continue to get a password complexity requirement error even though there are no password complexity requirements. Any ideas here?

Does anyone have any ideas regarding this?

Do your domain controllers have certificates to accept LDAPS connections from TMG?

What certificate do they need? Is there any configuration on TMG that is needed or ports that need to be opened to support this if there is a firewall between TMG and the domain controller being used to authenticate to?

Each domain controller with need a server authentication certificate; these can be from an internal CA or a public/third-party CA.

If you have a firewall deployed, you will need LDAPS (TCP636) open between the TMG servers and the domain controllers, in addition to LDAP (TCP389).

Cheers

JJ

http://blogs.technet.com/b/isablog/archive/2007/08/23/password-change-with-fba.aspx

So I added the cert to the domain controller that is used is used for authentication requests for that particular site and it still doesn't work. Let me explain the setup here and perhaps that will shed some light on things. I have one root domain which is domain.com and a sub domain of that which is clients.domain.com. This particular site uses clients.domain.com to authenticate its users. The web listener is currently being used for both domain.com and clients.domain.com. I placed the new cert on the clients.domain.com server in the personal store and opened port 636 (LDAPS) to that DC. TMG has been joined to domain.com. So if I watch the traffic once I try to sign onto the sharepoint server I hit the form based auth page no problem. If I have the user account I try and login with set to change password at next logon and I watch what actually happens. TMG goes to the domain.com server on port 636 not to the clients.domain.com server? Should I have placed the dc auth cert under that servers personal store instead of under the personal store of clients.domain.com? Once I see that initial traffic going to domain.com servers, then I see the auth (port 88) going to clients.domain.com server. What are your thoughts here?

Hi Justin

I have the same problem with publishing a SharePoint 2013 site through TMG - accounts with "user must change password at next logon" checked cannot access the SP site to enable them to change password, despite the site having Anonymous Access.

Did you ever reach a resolution?

Mark J