NTLM Password Change Fails When Password Contains an Ampersand (&)

ID: Q238631

The information in this article applies to:

Microsoft Internet Information Server version 4.0

SYMPTOMS

When you attempt to change an expired Windows NT password in Internet Information Server (IIS) 4.0 and you use an ampersand (&) in the new password, the password does not change, even though you receive the following message after completing the password change form:

The operation completed successfully

"Password changed successfully" is returned when a password change is successful. The ampersand is a valid password character in Windows NT.

CAUSE

The parsing code in Ism.dll assumes the following sequence:

VARIABLE=VALUE&

When you use an ampersand (&) in the password, a sequence of one or more ampersands is created before an equal sign (=). For example, old password=password& will work correctly, but new password=m&m& will not.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

The English IIS 4.0 Windows NT Server version of this fix should have the following file attributes or later:


   Date      Time                 Size    File name     Platform
   -------------------------------------------------------------
   07/22/99  03:25p                84,240 Ism.dll       Alpha
   07/22/99  03:23p                54,032 Ism.dll       i386

Note: The IIS 4.0 Windows NT Workstation and Windows 95/98 fixes will have different file properties.
NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base:

Q154871 Determining If You Are Eligible for No-Charge Technical Support

STATUS

Microsoft has confirmed this to be a problem in Internet Information Server 4.0.

MORE INFORMATION

Another symptom that has been seen is the Inetinfo process spinning at 100 percent CPU utilization.

Additional query words: percent peg max


Keywords          : 
Version           : winnt:4.0
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: August 3, 1999