ActiveDirectoryMembershipProvider & ChangePassword control

Discussion in 'ASP .Net Security' started by dknight, May 14, 2008.

  1. dknight

    dknight Guest

    I'm using AD for my asp.net c# forms authentication. The login control works
    great.
    However we need the provider to force a change of password when the AD
    account's "User must change password on next login" attribute is set to true.
    Using DirectoryServices I can check to see if the attribute is set but when
    I try to use the ChangePassword control it won't reset the password. I get a
    "Password incorrect or New Password invalid. New Password length minimum: 7.
    Non-alphanumeric characters required: 1" warning even though Iv'e met the
    password rules.
    Does this provider support the ChangePassword control?
    Thanks.
     
    dknight, May 14, 2008
    #1
    1. Advertisements

  2. dknight

    Joe Kaplan Guest

    "Change password at next login" is not supported via any type of LDAP auth
    which is what the membership provider uses, so essentially you can't do
    this. As far as I know, you can only support this feature via interactive
    logon.

    Joe K.
     
    Joe Kaplan, May 14, 2008
    #2
    1. Advertisements

  3. dknight

    dknight Guest

    What is an interactive logon?

     
    dknight, May 14, 2008
    #3
  4. dknight

    Joe Kaplan Guest

    When you log on to a workstation or server at the terminal or through
    terminal services.

    Joe K.
     
    Joe Kaplan, May 15, 2008
    #4
  5. dknight

    dknight Guest

    This web app is externally facing and needs to use AD in our DMZ.

    The process for creating and maintaining user accounts is this:
    1. a user requests an account using our web page.
    2. when approved, a LDAP call is made to create the account in AD.
    2a. the LDAP call creates the user.
    2b. sets a temporary password.
    2c. the password needs to be a temporary one. So the LDAP call sets the
    "user must change password on next login" attribute. (we thought we could
    force a change password by using this attribute)
    2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
    needs to detect that the password they are using is a temporary one and then
    force a change of the password.

    How would you suggest this be done?
    If the ActiveDirectoryMembershipProvider does not support this attribute is
    there another way of getting this funcitonality? Maybe a combination of
    ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
    attribute not supported?

    Hope this makes sense.

    -Dan
     
    dknight, May 15, 2008
    #5
  6. dknight

    Joe Kaplan Guest

    You'll have to custom code that somehow with some sort of "enhanced" AD
    membership provider (if you still want to use the membership provider for
    the provisioning piece and not just the credentials validation). You won't
    be able to use the native function for "user must change password at next
    logon".

    Essentially, you would need to store some value in the user account
    indicating "first logon" and if that is set, force the user to change the
    password in the UI. Then, when that password change is done you would
    update the value so that "first logon" would not be set.

    You could probably do something like this fairly easy by just putting a
    value into an existing AD attribute that you aren't using for anything else.
    The rest of it would be logic you would have to build into your user
    management UI.

    Joe K.
     
    Joe Kaplan, May 15, 2008
    #6
  7. dknight

    dknight Guest

    thanks Joe. Very helpful

     
    dknight, May 15, 2008
    #7
  8. Sorry for this very late reply, but I'm facing the same kind of situation as dknigh.
    The way I'm trying to handle it is this:
    - user opens page
    - enter current credentials + new password
    - clicks OK button
    - in the ChangingPassword event I use a DirectoryEntry object to uncheck that "Change password on next logon" field and use membership.validate to check the entered credentials, if invalid, check that particular option again

    I still got a problem I can't put my finger on and that is when unchecking that option, the user validates, but the password isn't changed. When the user tries to change his password a second time, he is able to do it. The reason for this is that when he tries to do it the second time, the option is already unchecked.

    This makes me think about some kind of delay, or maybe that password change control tries to validate the user before firing the ChangingPassword event...



    dknigh wrote:

    Re: ActiveDirectoryMembershipProvider & ChangePassword control
    15-May-08

    thanks Joe. Very helpfu

    :

    Previous Posts In This Thread:

    ActiveDirectoryMembershipProvider & ChangePassword control
    I'm using AD for my asp.net c# forms authentication. The login control works
    great
    However we need the provider to force a change of password when the AD
    account's "User must change password on next login" attribute is set to true
    Using DirectoryServices I can check to see if the attribute is set but when
    I try to use the ChangePassword control it won't reset the password. I get a
    "Password incorrect or New Password invalid. New Password length minimum: 7.
    Non-alphanumeric characters required: 1" warning even though Iv'e met the
    password rules
    Does this provider support the ChangePassword control
    Thanks.

    "Change password at next login" is not supported via any type of LDAP auth
    "Change password at next login" is not supported via any type of LDAP auth
    which is what the membership provider uses, so essentially you can't do
    this. As far as I know, you can only support this feature via interactive
    logon

    Joe K
    --
    Joe Kaplan-MS MVP Directory Services Programmin
    Co-author of "The .NET Developer's Guide to Directory Services Programming
    http://www.directoryprogramming.ne
    -

    Re: ActiveDirectoryMembershipProvider & ChangePassword control
    What is an interactive logon

    :

    When you log on to a workstation or server at the terminal or through terminal
    When you log on to a workstation or server at the terminal or through
    terminal services

    Joe K
    --
    Joe Kaplan-MS MVP Directory Services Programmin
    Co-author of "The .NET Developer's Guide to Directory Services Programming
    http://www.directoryprogramming.ne
    -

    This web app is externally facing and needs to use AD in our DMZ.
    This web app is externally facing and needs to use AD in our DMZ

    The process for creating and maintaining user accounts is this
    1. a user requests an account using our web page
    2. when approved, a LDAP call is made to create the account in AD
    2a. the LDAP call creates the user
    2b. sets a temporary password
    2c. the password needs to be a temporary one. So the LDAP call sets the
    "user must change password on next login" attribute. (we thought we could
    force a change password by using this attribute
    2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
    needs to detect that the password they are using is a temporary one and then
    force a change of the password

    How would you suggest this be done?
    If the ActiveDirectoryMembershipProvider does not support this attribute is
    there another way of getting this funcitonality? Maybe a combination of
    ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
    attribute not supported?

    Hope this makes sense.

    -Dan

    :

    You'll have to custom code that somehow with some sort of "enhanced" AD
    You'll have to custom code that somehow with some sort of "enhanced" AD
    membership provider (if you still want to use the membership provider for
    the provisioning piece and not just the credentials validation). You won't
    be able to use the native function for "user must change password at next
    logon".

    Essentially, you would need to store some value in the user account
    indicating "first logon" and if that is set, force the user to change the
    password in the UI. Then, when that password change is done you would
    update the value so that "first logon" would not be set.

    You could probably do something like this fairly easy by just putting a
    value into an existing AD attribute that you aren't using for anything else.
    The rest of it would be logic you would have to build into your user
    management UI.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --

    Re: ActiveDirectoryMembershipProvider & ChangePassword control
    thanks Joe. Very helpful

    :

    Forms validation force change password after first login
    You are required to be a member to post replies. After logging in or becoming a member, you will be redirected back to this page.


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    WPF Reflection Effect
    http://www.eggheadcafe.com/tutorial...-beab-49bd76e20b9b/wpf-reflection-effect.aspx
     
    Sylvain Girard, Apr 27, 2010
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.