I have a Windows Server 2008R2 Server running Forefront TMG (7.0.9193.500) which works as our firewall and VPN gateway. For the most part it works, blocking traffic and allowing users to VPN in. I have a problem with password expiry causing problems- unable to send new passwords if a user is logged in to their client machine, running Windows 7.
The network is quite locked down, and only a few machines have internet access. In a similar manner, the clients that connect aren't allowed internet access other than connecting by VPN to the home address (some specific rules allowing discovery and so on, but not 'normal' internet). The clients (w Windows 7 machines) are authenticated by TMG which passes the request on to a set of RADIUS servers, which themselves are Windows Server NAP machines.
At the end of a password expiry period users have issues sending a new password. If they are logged into windows it tells them the password has expired and to send a new one. If they do so the machine sits and gets stuck on the VPN dial in with "Sending new password..." It never seems to get through.
If a user logs off first, and connects by VPN from the log in screen it does work but sometimes ends up causing the passwords to be out of sync- so VPN and server believe they have a new password, but the local machine believes it uses the old one. With some messing around I can get the machine to connect to the VPN and resync the password, but this requires admin intervention.
So my question/problem is, does anyone know what the possible issue is that causes the machine to get stuck on sending new password?
If I look at the TMG logs, I can't see anything helpful. There are no Audit failures I can see, and I can't see anything in the NPS logs either. I may be missing things, but i'm not too sure what to be looking for.
The VPN client settings are fairly simple- try SSTP with certificates and use current windows username and passwprd as the main method, but I have also added in a backup of PPTP with EAP to work out if it was to do with the listeners.
