Thursday, July 7, 2011

ISA and TMG Login Scenarios

Q: What are the various active directory account conditions to program for when it comes to authenticating through an FBA listener on ISA or TMG?
A: There are seven that we've come up with:
  1. The account is active and valid.
  2. The account’s password is past the 90 days max password age and the password is expired (but account is still active).
  3. The account‘s password will expire in <15 days (test by changing remind users from 15 to 120).
  4. The account is disabled (test by simply disabling the AD account).
  5. The account is expired (test by moving the AD account expire date into the past).
  6. The account is set to “user must change password at next logon” (test by simply checking that box)
  7. The account is active and valid and the user checks the box to change their password.