How to change user account properties by ASP.NET?

Discussion in 'ASP .Net Security' started by Evgeny Zoldin, Nov 23, 2004.

  1. Hi ALL.

    I have the configuration:
    1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
    2. ASP.NET application A configured to authenticate only users from
    local Users group.

    I would like to de the following:
    Logged on user is able through ASP.NET-Pages to change its own Logon
    Username, Password and Full Name

    I tried to implement it by the code (C#):

    DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
    User.Identity.Name);
    deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***

    If the logged on user belongs only to Users group then the statement ***
    causes Exception "SystemUnautherizedException: General access denied error".
    But as soon as that user has been included into Administrators group the
    statement *** is executed well.

    I know about impersonation possibility, but it requires to type clear
    Administrators username and password in code-behind class that will be
    published on target server.

    So, what should I do in order to give to user the ability to change its
    username, password and full name?
    May be orginize on the target server a group, add the users into the group
    and gain to this group some specils rights?

    Thanx
    Evgeny
    Evgeny Zoldin, Nov 23, 2004
    #1
    1. Advertising

  2. Evgeny Zoldin

    Scott Allen Guest

    Hi Evgeny:

    >I know about impersonation possibility, but it requires to type clear
    >Administrators username and password in code-behind class that will be
    >published on target server.


    If you use
    <identity impersonate="true"/>
    in the web.config file, than you are impersonating the client without
    using an explicit username / password. This is probably the safest
    approach, because only local admins would be able to change the
    passwords for the local users.

    You can put username and password attributes in the <indentity>
    element and have the password encrypted in the registry. This is
    described in the remarks section of the following:
    http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp

    Note however, that all users will then have a request impersonating an
    admin, so it's a dangerous approach.

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/
    Scott Allen, Nov 23, 2004
    #2
    1. Advertising

  3. Normally, a user can only call ChangePassword on themselves, not
    ResetPassword. Administrators generally have rights to ResetPassword. The
    latter doesn't require knowing the old password, the former does.

    I think that will solve it.

    Joe K.

    "Evgeny Zoldin" <> wrote in message
    news:OeW$%...
    > Hi ALL.
    >
    > I have the configuration:
    > 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
    > 2. ASP.NET application A configured to authenticate only users from
    > local Users group.
    >
    > I would like to de the following:
    > Logged on user is able through ASP.NET-Pages to change its own Logon
    > Username, Password and Full Name
    >
    > I tried to implement it by the code (C#):
    >
    > DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
    > User.Identity.Name);
    > deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***
    >
    > If the logged on user belongs only to Users group then the statement ***
    > causes Exception "SystemUnautherizedException: General access denied
    > error".
    > But as soon as that user has been included into Administrators group the
    > statement *** is executed well.
    >
    > I know about impersonation possibility, but it requires to type clear
    > Administrators username and password in code-behind class that will be
    > published on target server.
    >
    > So, what should I do in order to give to user the ability to change its
    > username, password and full name?
    > May be orginize on the target server a group, add the users into the group
    > and gain to this group some specils rights?
    >
    > Thanx
    > Evgeny
    >
    Joe Kaplan \(MVP - ADSI\), Nov 23, 2004
    #3
  4. Hi Scott,

    thanks a lot for your help. One more question. is it possible to use
    impresonating not for whole application but for selected page of them,
    namely that where user will be change its data under imparsonated Admin
    account?

    Thank you in advance

    Evgeny

    "Scott Allen" <bitmask@[nospam].fred.net> wrote in message
    news:...
    > Hi Evgeny:
    >
    >>I know about impersonation possibility, but it requires to type clear
    >>Administrators username and password in code-behind class that will be
    >>published on target server.

    >
    > If you use
    > <identity impersonate="true"/>
    > in the web.config file, than you are impersonating the client without
    > using an explicit username / password. This is probably the safest
    > approach, because only local admins would be able to change the
    > passwords for the local users.
    >
    > You can put username and password attributes in the <indentity>
    > element and have the password encrypted in the registry. This is
    > described in the remarks section of the following:
    > http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfidentitysection.asp
    >
    > Note however, that all users will then have a request impersonating an
    > admin, so it's a dangerous approach.
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    Evgeny Zoldin, Nov 23, 2004
    #4
  5. Hi Joe,

    thank you for your advice, but how can I get oldPassword of currently logged
    User in ASP.NET for feed ChangePassword method?

    Evgeny

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > Normally, a user can only call ChangePassword on themselves, not
    > ResetPassword. Administrators generally have rights to ResetPassword.
    > The latter doesn't require knowing the old password, the former does.
    >
    > I think that will solve it.
    >
    > Joe K.
    >
    > "Evgeny Zoldin" <> wrote in message
    > news:OeW$%...
    >> Hi ALL.
    >>
    >> I have the configuration:
    >> 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
    >> 2. ASP.NET application A configured to authenticate only users from
    >> local Users group.
    >>
    >> I would like to de the following:
    >> Logged on user is able through ASP.NET-Pages to change its own Logon
    >> Username, Password and Full Name
    >>
    >> I tried to implement it by the code (C#):
    >>
    >> DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
    >> User.Identity.Name);
    >> deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***
    >>
    >> If the logged on user belongs only to Users group then the statement ***
    >> causes Exception "SystemUnautherizedException: General access denied
    >> error".
    >> But as soon as that user has been included into Administrators group the
    >> statement *** is executed well.
    >>
    >> I know about impersonation possibility, but it requires to type clear
    >> Administrators username and password in code-behind class that will be
    >> published on target server.
    >>
    >> So, what should I do in order to give to user the ability to change its
    >> username, password and full name?
    >> May be orginize on the target server a group, add the users into the
    >> group and gain to this group some specils rights?
    >>
    >> Thanx
    >> Evgeny
    >>

    >
    >
    Evgeny Zoldin, Nov 23, 2004
    #5
  6. You would have to ask them for it unless you are using Basic authentication,
    in which case you can just read the auth_password header. Most password
    change processes prompt the user to enter the old password as well as the
    new one to verify that the current user actually knows the old one, so I
    don't think users will be too bothered by this.

    Joe K.

    "Evgeny Zoldin" <> wrote in message
    news:...
    > Hi Joe,
    >
    > thank you for your advice, but how can I get oldPassword of currently
    > logged User in ASP.NET for feed ChangePassword method?
    >
    > Evgeny
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:%...
    >> Normally, a user can only call ChangePassword on themselves, not
    >> ResetPassword. Administrators generally have rights to ResetPassword.
    >> The latter doesn't require knowing the old password, the former does.
    >>
    >> I think that will solve it.
    >>
    >> Joe K.
    >>
    >> "Evgeny Zoldin" <> wrote in message
    >> news:OeW$%...
    >>> Hi ALL.
    >>>
    >>> I have the configuration:
    >>> 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
    >>> 2. ASP.NET application A configured to authenticate only users from
    >>> local Users group.
    >>>
    >>> I would like to de the following:
    >>> Logged on user is able through ASP.NET-Pages to change its own Logon
    >>> Username, Password and Full Name
    >>>
    >>> I tried to implement it by the code (C#):
    >>>
    >>> DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
    >>> User.Identity.Name);
    >>> deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***
    >>>
    >>> If the logged on user belongs only to Users group then the statement ***
    >>> causes Exception "SystemUnautherizedException: General access denied
    >>> error".
    >>> But as soon as that user has been included into Administrators group the
    >>> statement *** is executed well.
    >>>
    >>> I know about impersonation possibility, but it requires to type clear
    >>> Administrators username and password in code-behind class that will be
    >>> published on target server.
    >>>
    >>> So, what should I do in order to give to user the ability to change its
    >>> username, password and full name?
    >>> May be orginize on the target server a group, add the users into the
    >>> group and gain to this group some specils rights?
    >>>
    >>> Thanx
    >>> Evgeny
    >>>

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Nov 23, 2004
    #6
  7. Evgeny Zoldin

    Scott Allen Guest

    Yes, Evgeny. One way to do this is with a <location> entry.
    http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrflocationelement.asp

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Tue, 23 Nov 2004 23:37:31 +0100, "Evgeny Zoldin"
    <> wrote:

    >Hi Scott,
    >
    >thanks a lot for your help. One more question. is it possible to use
    >impresonating not for whole application but for selected page of them,
    >namely that where user will be change its data under imparsonated Admin
    >account?
    >
    >Thank you in advance
    >
    >Evgeny
    >
    Scott Allen, Nov 24, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mr.KisS
    Replies:
    13
    Views:
    650
    MR.KisS
    Jul 6, 2004
  2. Evgeny Zoldin
    Replies:
    6
    Views:
    4,472
    Scott Allen
    Nov 24, 2004
  3. Max2006
    Replies:
    2
    Views:
    502
    Max2006
    Jul 13, 2007
  4. nilapenn
    Replies:
    3
    Views:
    603
    Joe Kaplan \(MVP - ADSI\)
    Feb 14, 2005
  5. Replies:
    4
    Views:
    621
    Paul Clement
    Sep 15, 2005
Loading...

Share This Page