Can't log in user having "must change password" flag set (Forms Au

G

Guest

Hi,

we've got a strange problem here:

We've created an ASP.NET 2.0 web application using Membership.ValidateUser()
to manually authenticate users with our website.

The problem is: If the user has the "User must change password" flag set in
Active Directory, ValidateUser() always returns false if that user wants to
log in.

What is it we are doing wrong? Is there some additional code required to
have a user log-in using the membership provider if that user has that
particular flag set?

Any help is quite appreciated.

Best regards,
www.axel-dahmen.com

PS: Just as a hint: We manually authenticate users as there is some business
logic correlated to our log-in page. So... no, we don't use the Login control.
 
S

Steven Cheng[MSFT]

Hi Axel,

From your description, you're using forms authentication which validate the
logon user against the domain active directory, however, you found that for
those useraccount which has been marked with "User must change password on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.
 
A

Axel Dahmen

Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One of
my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in page.
According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where we
don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen
 
S

Steven Cheng[MSFT]

Hi Axel,

Thanks for your followup.

Glad that you've got the answer of this issue. Of course, this will benifit
other community members who encounter the same problem.

Thanks again for sharing it with us!

Have a good day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
From: "Axel Dahmen" <[email protected]>
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
ASP:login password 0
Setting "User Cannot Change Password" Flag from ASP.NET/C# 1
Change a users password without knowing the old password nor the answer to the password question 1
ASP:ChangePassword control and changing another user's password 6
asp:login control - user prompted to log in twice if session disab 3
Forms authentication, user login status is not maintained 3
Installation Project must ask for sql server user and password and create database 1

Members online

No members online now.
Total: 34 (members: 1, guests: 33)
Robots: 486

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,048
Latest member
verona

Latest Threads

Top