Dealing with passwords that can't authenticate to the server
I set up an internal Web site on our network to test remote password changes using the IISADMPWD on a W2K SP4 server. I enabled basic authentication on the site and when I use an account where the password has already expired, I am prompted to change my password. After I do that, I receive a message stating the change was successful. The network password changes, but the Web site will not accept any password for that account. I can change the account password on the domain controller, but no Web site on that server will allow that account to authenticate. It seems like the local security database is now hosed. I tried adding UserTokenTTL to the registry with a one minute discard, but it did not help.
This is a tricky one. The problem may have nothing to do with basic authentication
and may not be remedied by adding UserTokenTTL
to the registry. This obscure issue cropped up on message boards in late 2004 and, according to Microsoft, is caused by an issue in the Active Directory Services Interfaces (ADSI). To be more specific, this problem occurs when ADSI is used by an Active Server Page (ASP) Web site in Windows 2000 and later for authentication purposes. The issue stems from synching the UPN
with the account name used in Windows versions prior to Windows 2000.
Microsoft issued hotfix 833734 last year to address the problem and posted an article with details on its Web site at http://support.microsoft.com/default.aspx?scid=kb;en-us;833734. While, the hotfix was only for Windows 2003 Server, this article provides further insight into the exact problem you describe. The Microsoft hotfix is only temporary -- they plan to roll it up in the release of the next Windows 2003 Server service pack. In the meantime, try entering the UPN without the domain name in the user name field. Some users have said that works in Windows 2000 SP4 systems.
This was first published in February 2006