ActiveDirectoryMembershipProvider & ChangePassword control

Discussion in 'ASP .Net Security' started by dknight, May 14, 2008.

  1. dknight

    dknight Guest

    I'm using AD for my asp.net c# forms authentication. The login control works
    great.
    However we need the provider to force a change of password when the AD
    account's "User must change password on next login" attribute is set to true.
    Using DirectoryServices I can check to see if the attribute is set but when
    I try to use the ChangePassword control it won't reset the password. I get a
    "Password incorrect or New Password invalid. New Password length minimum: 7.
    Non-alphanumeric characters required: 1" warning even though Iv'e met the
    password rules.
    Does this provider support the ChangePassword control?
    Thanks.
    dknight, May 14, 2008
    #1
    1. Advertising

  2. dknight

    Joe Kaplan Guest

    "Change password at next login" is not supported via any type of LDAP auth
    which is what the membership provider uses, so essentially you can't do
    this. As far as I know, you can only support this feature via interactive
    logon.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "dknight" <> wrote in message
    news:...
    > I'm using AD for my asp.net c# forms authentication. The login control
    > works
    > great.
    > However we need the provider to force a change of password when the AD
    > account's "User must change password on next login" attribute is set to
    > true.
    > Using DirectoryServices I can check to see if the attribute is set but
    > when
    > I try to use the ChangePassword control it won't reset the password. I get
    > a
    > "Password incorrect or New Password invalid. New Password length minimum:
    > 7.
    > Non-alphanumeric characters required: 1" warning even though Iv'e met the
    > password rules.
    > Does this provider support the ChangePassword control?
    > Thanks.
    >
    Joe Kaplan, May 14, 2008
    #2
    1. Advertising

  3. dknight

    dknight Guest

    What is an interactive logon?

    "Joe Kaplan" wrote:

    > "Change password at next login" is not supported via any type of LDAP auth
    > which is what the membership provider uses, so essentially you can't do
    > this. As far as I know, you can only support this feature via interactive
    > logon.
    >
    > Joe K.
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "dknight" <> wrote in message
    > news:...
    > > I'm using AD for my asp.net c# forms authentication. The login control
    > > works
    > > great.
    > > However we need the provider to force a change of password when the AD
    > > account's "User must change password on next login" attribute is set to
    > > true.
    > > Using DirectoryServices I can check to see if the attribute is set but
    > > when
    > > I try to use the ChangePassword control it won't reset the password. I get
    > > a
    > > "Password incorrect or New Password invalid. New Password length minimum:
    > > 7.
    > > Non-alphanumeric characters required: 1" warning even though Iv'e met the
    > > password rules.
    > > Does this provider support the ChangePassword control?
    > > Thanks.
    > >

    >
    >
    >
    dknight, May 14, 2008
    #3
  4. dknight

    Joe Kaplan Guest

    When you log on to a workstation or server at the terminal or through
    terminal services.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "dknight" <> wrote in message
    news:...
    > What is an interactive logon?
    >
    > "Joe Kaplan" wrote:
    >
    >> "Change password at next login" is not supported via any type of LDAP
    >> auth
    >> which is what the membership provider uses, so essentially you can't do
    >> this. As far as I know, you can only support this feature via
    >> interactive
    >> logon.
    >>
    >> Joe K.
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "dknight" <> wrote in message
    >> news:...
    >> > I'm using AD for my asp.net c# forms authentication. The login control
    >> > works
    >> > great.
    >> > However we need the provider to force a change of password when the AD
    >> > account's "User must change password on next login" attribute is set to
    >> > true.
    >> > Using DirectoryServices I can check to see if the attribute is set but
    >> > when
    >> > I try to use the ChangePassword control it won't reset the password. I
    >> > get
    >> > a
    >> > "Password incorrect or New Password invalid. New Password length
    >> > minimum:
    >> > 7.
    >> > Non-alphanumeric characters required: 1" warning even though Iv'e met
    >> > the
    >> > password rules.
    >> > Does this provider support the ChangePassword control?
    >> > Thanks.
    >> >

    >>
    >>
    >>
    Joe Kaplan, May 15, 2008
    #4
  5. dknight

    dknight Guest

    This web app is externally facing and needs to use AD in our DMZ.

    The process for creating and maintaining user accounts is this:
    1. a user requests an account using our web page.
    2. when approved, a LDAP call is made to create the account in AD.
    2a. the LDAP call creates the user.
    2b. sets a temporary password.
    2c. the password needs to be a temporary one. So the LDAP call sets the
    "user must change password on next login" attribute. (we thought we could
    force a change password by using this attribute)
    2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
    needs to detect that the password they are using is a temporary one and then
    force a change of the password.

    How would you suggest this be done?
    If the ActiveDirectoryMembershipProvider does not support this attribute is
    there another way of getting this funcitonality? Maybe a combination of
    ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
    attribute not supported?

    Hope this makes sense.

    -Dan

    "Joe Kaplan" wrote:

    > When you log on to a workstation or server at the terminal or through
    > terminal services.
    >
    > Joe K.
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "dknight" <> wrote in message
    > news:...
    > > What is an interactive logon?
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> "Change password at next login" is not supported via any type of LDAP
    > >> auth
    > >> which is what the membership provider uses, so essentially you can't do
    > >> this. As far as I know, you can only support this feature via
    > >> interactive
    > >> logon.
    > >>
    > >> Joe K.
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --
    > >> "dknight" <> wrote in message
    > >> news:...
    > >> > I'm using AD for my asp.net c# forms authentication. The login control
    > >> > works
    > >> > great.
    > >> > However we need the provider to force a change of password when the AD
    > >> > account's "User must change password on next login" attribute is set to
    > >> > true.
    > >> > Using DirectoryServices I can check to see if the attribute is set but
    > >> > when
    > >> > I try to use the ChangePassword control it won't reset the password. I
    > >> > get
    > >> > a
    > >> > "Password incorrect or New Password invalid. New Password length
    > >> > minimum:
    > >> > 7.
    > >> > Non-alphanumeric characters required: 1" warning even though Iv'e met
    > >> > the
    > >> > password rules.
    > >> > Does this provider support the ChangePassword control?
    > >> > Thanks.
    > >> >
    > >>
    > >>
    > >>

    >
    >
    >
    dknight, May 15, 2008
    #5
  6. dknight

    Joe Kaplan Guest

    You'll have to custom code that somehow with some sort of "enhanced" AD
    membership provider (if you still want to use the membership provider for
    the provisioning piece and not just the credentials validation). You won't
    be able to use the native function for "user must change password at next
    logon".

    Essentially, you would need to store some value in the user account
    indicating "first logon" and if that is set, force the user to change the
    password in the UI. Then, when that password change is done you would
    update the value so that "first logon" would not be set.

    You could probably do something like this fairly easy by just putting a
    value into an existing AD attribute that you aren't using for anything else.
    The rest of it would be logic you would have to build into your user
    management UI.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "dknight" <> wrote in message
    news:...
    > This web app is externally facing and needs to use AD in our DMZ.
    >
    > The process for creating and maintaining user accounts is this:
    > 1. a user requests an account using our web page.
    > 2. when approved, a LDAP call is made to create the account in AD.
    > 2a. the LDAP call creates the user.
    > 2b. sets a temporary password.
    > 2c. the password needs to be a temporary one. So the LDAP call sets the
    > "user must change password on next login" attribute. (we thought we could
    > force a change password by using this attribute)
    > 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
    > needs to detect that the password they are using is a temporary one and
    > then
    > force a change of the password.
    >
    > How would you suggest this be done?
    > If the ActiveDirectoryMembershipProvider does not support this attribute
    > is
    > there another way of getting this funcitonality? Maybe a combination of
    > ActiveDirectoryMembershipProvider and DirectoryServices coding to check
    > the
    > attribute not supported?
    >
    > Hope this makes sense.
    >
    > -Dan
    >
    > "Joe Kaplan" wrote:
    >
    >> When you log on to a workstation or server at the terminal or through
    >> terminal services.
    >>
    >> Joe K.
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "dknight" <> wrote in message
    >> news:...
    >> > What is an interactive logon?
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> "Change password at next login" is not supported via any type of LDAP
    >> >> auth
    >> >> which is what the membership provider uses, so essentially you can't
    >> >> do
    >> >> this. As far as I know, you can only support this feature via
    >> >> interactive
    >> >> logon.
    >> >>
    >> >> Joe K.
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> --
    >> >> "dknight" <> wrote in message
    >> >> news:...
    >> >> > I'm using AD for my asp.net c# forms authentication. The login
    >> >> > control
    >> >> > works
    >> >> > great.
    >> >> > However we need the provider to force a change of password when the
    >> >> > AD
    >> >> > account's "User must change password on next login" attribute is set
    >> >> > to
    >> >> > true.
    >> >> > Using DirectoryServices I can check to see if the attribute is set
    >> >> > but
    >> >> > when
    >> >> > I try to use the ChangePassword control it won't reset the password.
    >> >> > I
    >> >> > get
    >> >> > a
    >> >> > "Password incorrect or New Password invalid. New Password length
    >> >> > minimum:
    >> >> > 7.
    >> >> > Non-alphanumeric characters required: 1" warning even though Iv'e
    >> >> > met
    >> >> > the
    >> >> > password rules.
    >> >> > Does this provider support the ChangePassword control?
    >> >> > Thanks.
    >> >> >
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
    Joe Kaplan, May 15, 2008
    #6
  7. dknight

    dknight Guest

    thanks Joe. Very helpful

    "Joe Kaplan" wrote:

    > You'll have to custom code that somehow with some sort of "enhanced" AD
    > membership provider (if you still want to use the membership provider for
    > the provisioning piece and not just the credentials validation). You won't
    > be able to use the native function for "user must change password at next
    > logon".
    >
    > Essentially, you would need to store some value in the user account
    > indicating "first logon" and if that is set, force the user to change the
    > password in the UI. Then, when that password change is done you would
    > update the value so that "first logon" would not be set.
    >
    > You could probably do something like this fairly easy by just putting a
    > value into an existing AD attribute that you aren't using for anything else.
    > The rest of it would be logic you would have to build into your user
    > management UI.
    >
    > Joe K.
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "dknight" <> wrote in message
    > news:...
    > > This web app is externally facing and needs to use AD in our DMZ.
    > >
    > > The process for creating and maintaining user accounts is this:
    > > 1. a user requests an account using our web page.
    > > 2. when approved, a LDAP call is made to create the account in AD.
    > > 2a. the LDAP call creates the user.
    > > 2b. sets a temporary password.
    > > 2c. the password needs to be a temporary one. So the LDAP call sets the
    > > "user must change password on next login" attribute. (we thought we could
    > > force a change password by using this attribute)
    > > 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
    > > needs to detect that the password they are using is a temporary one and
    > > then
    > > force a change of the password.
    > >
    > > How would you suggest this be done?
    > > If the ActiveDirectoryMembershipProvider does not support this attribute
    > > is
    > > there another way of getting this funcitonality? Maybe a combination of
    > > ActiveDirectoryMembershipProvider and DirectoryServices coding to check
    > > the
    > > attribute not supported?
    > >
    > > Hope this makes sense.
    > >
    > > -Dan
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> When you log on to a workstation or server at the terminal or through
    > >> terminal services.
    > >>
    > >> Joe K.
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --
    > >> "dknight" <> wrote in message
    > >> news:...
    > >> > What is an interactive logon?
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> "Change password at next login" is not supported via any type of LDAP
    > >> >> auth
    > >> >> which is what the membership provider uses, so essentially you can't
    > >> >> do
    > >> >> this. As far as I know, you can only support this feature via
    > >> >> interactive
    > >> >> logon.
    > >> >>
    > >> >> Joe K.
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> --
    > >> >> "dknight" <> wrote in message
    > >> >> news:...
    > >> >> > I'm using AD for my asp.net c# forms authentication. The login
    > >> >> > control
    > >> >> > works
    > >> >> > great.
    > >> >> > However we need the provider to force a change of password when the
    > >> >> > AD
    > >> >> > account's "User must change password on next login" attribute is set
    > >> >> > to
    > >> >> > true.
    > >> >> > Using DirectoryServices I can check to see if the attribute is set
    > >> >> > but
    > >> >> > when
    > >> >> > I try to use the ChangePassword control it won't reset the password.
    > >> >> > I
    > >> >> > get
    > >> >> > a
    > >> >> > "Password incorrect or New Password invalid. New Password length
    > >> >> > minimum:
    > >> >> > 7.
    > >> >> > Non-alphanumeric characters required: 1" warning even though Iv'e
    > >> >> > met
    > >> >> > the
    > >> >> > password rules.
    > >> >> > Does this provider support the ChangePassword control?
    > >> >> > Thanks.
    > >> >> >
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
    dknight, May 15, 2008
    #7
  8. ChangePassword control

    Sorry for this very late reply, but I'm facing the same kind of situation as dknigh.
    The way I'm trying to handle it is this:
    - user opens page
    - enter current credentials + new password
    - clicks OK button
    - in the ChangingPassword event I use a DirectoryEntry object to uncheck that "Change password on next logon" field and use membership.validate to check the entered credentials, if invalid, check that particular option again

    I still got a problem I can't put my finger on and that is when unchecking that option, the user validates, but the password isn't changed. When the user tries to change his password a second time, he is able to do it. The reason for this is that when he tries to do it the second time, the option is already unchecked.

    This makes me think about some kind of delay, or maybe that password change control tries to validate the user before firing the ChangingPassword event...



    dknigh wrote:

    Re: ActiveDirectoryMembershipProvider & ChangePassword control
    15-May-08

    thanks Joe. Very helpfu

    "Joe Kaplan" wrote:

    Previous Posts In This Thread:

    On Wednesday, May 14, 2008 3:05 PM
    dknigh wrote:

    ActiveDirectoryMembershipProvider & ChangePassword control
    I'm using AD for my asp.net c# forms authentication. The login control works
    great
    However we need the provider to force a change of password when the AD
    account's "User must change password on next login" attribute is set to true
    Using DirectoryServices I can check to see if the attribute is set but when
    I try to use the ChangePassword control it won't reset the password. I get a
    "Password incorrect or New Password invalid. New Password length minimum: 7.
    Non-alphanumeric characters required: 1" warning even though Iv'e met the
    password rules
    Does this provider support the ChangePassword control
    Thanks.

    On Wednesday, May 14, 2008 4:05 PM
    Joe Kaplan wrote:

    "Change password at next login" is not supported via any type of LDAP auth
    "Change password at next login" is not supported via any type of LDAP auth
    which is what the membership provider uses, so essentially you can't do
    this. As far as I know, you can only support this feature via interactive
    logon

    Joe K
    --
    Joe Kaplan-MS MVP Directory Services Programmin
    Co-author of "The .NET Developer's Guide to Directory Services Programming
    http://www.directoryprogramming.ne
    -
    "dknight" <> wrote in message
    news:...

    On Wednesday, May 14, 2008 4:50 PM
    dknigh wrote:

    Re: ActiveDirectoryMembershipProvider & ChangePassword control
    What is an interactive logon

    "Joe Kaplan" wrote:

    On Wednesday, May 14, 2008 7:12 PM
    Joe Kaplan wrote:

    When you log on to a workstation or server at the terminal or through terminal
    When you log on to a workstation or server at the terminal or through
    terminal services

    Joe K
    --
    Joe Kaplan-MS MVP Directory Services Programmin
    Co-author of "The .NET Developer's Guide to Directory Services Programming
    http://www.directoryprogramming.ne
    -
    "dknight" <> wrote in message
    news:...

    On Thursday, May 15, 2008 12:47 PM
    dknigh wrote:

    This web app is externally facing and needs to use AD in our DMZ.
    This web app is externally facing and needs to use AD in our DMZ

    The process for creating and maintaining user accounts is this
    1. a user requests an account using our web page
    2. when approved, a LDAP call is made to create the account in AD
    2a. the LDAP call creates the user
    2b. sets a temporary password
    2c. the password needs to be a temporary one. So the LDAP call sets the
    "user must change password on next login" attribute. (we thought we could
    force a change password by using this attribute
    2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
    needs to detect that the password they are using is a temporary one and then
    force a change of the password

    How would you suggest this be done?
    If the ActiveDirectoryMembershipProvider does not support this attribute is
    there another way of getting this funcitonality? Maybe a combination of
    ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
    attribute not supported?

    Hope this makes sense.

    -Dan

    "Joe Kaplan" wrote:

    On Thursday, May 15, 2008 1:07 PM
    Joe Kaplan wrote:

    You'll have to custom code that somehow with some sort of "enhanced" AD
    You'll have to custom code that somehow with some sort of "enhanced" AD
    membership provider (if you still want to use the membership provider for
    the provisioning piece and not just the credentials validation). You won't
    be able to use the native function for "user must change password at next
    logon".

    Essentially, you would need to store some value in the user account
    indicating "first logon" and if that is set, force the user to change the
    password in the UI. Then, when that password change is done you would
    update the value so that "first logon" would not be set.

    You could probably do something like this fairly easy by just putting a
    value into an existing AD attribute that you aren't using for anything else.
    The rest of it would be logic you would have to build into your user
    management UI.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "dknight" <> wrote in message
    news:...

    On Thursday, May 15, 2008 1:15 PM
    dknigh wrote:

    Re: ActiveDirectoryMembershipProvider & ChangePassword control
    thanks Joe. Very helpful

    "Joe Kaplan" wrote:

    On Wednesday, June 03, 2009 3:43 PM
    Jerry Mollis wrote:

    Forms validation force change password after first login
    You are required to be a member to post replies. After logging in or becoming a member, you will be redirected back to this page.


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    WPF Reflection Effect
    http://www.eggheadcafe.com/tutorial...-beab-49bd76e20b9b/wpf-reflection-effect.aspx
    Sylvain Girard, Apr 27, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Evgeny
    Replies:
    2
    Views:
    2,100
    Evgeny
    Jan 28, 2006
  2. Replies:
    0
    Views:
    577
  3. Dmitry Duginov
    Replies:
    9
    Views:
    2,773
    Steven Cheng
    Feb 27, 2008
  4. PJ6
    Replies:
    1
    Views:
    539
    Eliyahu Goldin
    Apr 13, 2008
  5. Ken Fine
    Replies:
    2
    Views:
    1,723
    Allen Chen [MSFT]
    Aug 25, 2008
Loading...

Share This Page