Can’t change OWA password at first logon via Threat Management Gateway?

Reading Time: 2 minutes

During the first stages of delivering services of our newly built infrastructure to end-users, we came across an annoying issue.

Exchange was the first to be accessed, but specifically through Outlook Web App (OWA). As the users where migrated from eDIR and GroupWise, they would get credentials from us. As a security measure we wanted to make a password change at first logon mandatory.

I knew there were issues with Exchange 2010, but they were resolved with Service Pack 1. But even so, OWA us published via Threat Management Gateway 2010 (TMG). It was also configured that authentication would have to take place on TMG and it was not permitted to pass authentication to the published server.

The guidelines for password change at first logon where implemented, as described by Exchange MVP Jaap Wesselius in this post. But unfortunately it didn’t work:


I’ve checked several things:

Exchange 2010 had Service Pack 1, Threat Management Gateway had Service Pack 1. Furthermore, the TMG server server was a domain member which eliminated the need for secure LDAP. The used accounts and passwords did meet the required password complexity requirements.

Checking the TMG server resulted in a boatload of Schannel 36888 and 36882 events in the System logs. I then remembered that we had to install self-signed certificates on the DC’s (not ideal, but it was needed before we had time to implement a proper CA infrastructure).

Installing the self-signed certificates from the DC’s into the Trusted Root Certificates of the TMG server, resolved the issue of not being able to change the password at first logon.

Jaap: thanks for the sparring time Smile

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.