ActiveDirectoryMembershipProvider & ChangePassword control

D

dknight

I'm using AD for my asp.net c# forms authentication. The login control works
great.
However we need the provider to force a change of password when the AD
account's "User must change password on next login" attribute is set to true.
Using DirectoryServices I can check to see if the attribute is set but when
I try to use the ChangePassword control it won't reset the password. I get a
"Password incorrect or New Password invalid. New Password length minimum: 7.
Non-alphanumeric characters required: 1" warning even though Iv'e met the
password rules.
Does this provider support the ChangePassword control?
Thanks.
 
J

Joe Kaplan

"Change password at next login" is not supported via any type of LDAP auth
which is what the membership provider uses, so essentially you can't do
this. As far as I know, you can only support this feature via interactive
logon.

Joe K.
 
D

dknight

What is an interactive logon?

Joe Kaplan said:
"Change password at next login" is not supported via any type of LDAP auth
which is what the membership provider uses, so essentially you can't do
this. As far as I know, you can only support this feature via interactive
logon.

Joe K.
 
J

Joe Kaplan

When you log on to a workstation or server at the terminal or through
terminal services.

Joe K.
 
D

dknight

This web app is externally facing and needs to use AD in our DMZ.

The process for creating and maintaining user accounts is this:
1. a user requests an account using our web page.
2. when approved, a LDAP call is made to create the account in AD.
2a. the LDAP call creates the user.
2b. sets a temporary password.
2c. the password needs to be a temporary one. So the LDAP call sets the
"user must change password on next login" attribute. (we thought we could
force a change password by using this attribute)
2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
needs to detect that the password they are using is a temporary one and then
force a change of the password.

How would you suggest this be done?
If the ActiveDirectoryMembershipProvider does not support this attribute is
there another way of getting this funcitonality? Maybe a combination of
ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
attribute not supported?

Hope this makes sense.

-Dan
 
J

Joe Kaplan

You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for
the provisioning piece and not just the credentials validation). You won't
be able to use the native function for "user must change password at next
logon".

Essentially, you would need to store some value in the user account
indicating "first logon" and if that is set, force the user to change the
password in the UI. Then, when that password change is done you would
update the value so that "first logon" would not be set.

You could probably do something like this fairly easy by just putting a
value into an existing AD attribute that you aren't using for anything else.
The rest of it would be logic you would have to build into your user
management UI.

Joe K.
 
D

dknight

thanks Joe. Very helpful

Joe Kaplan said:
You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for
the provisioning piece and not just the credentials validation). You won't
be able to use the native function for "user must change password at next
logon".

Essentially, you would need to store some value in the user account
indicating "first logon" and if that is set, force the user to change the
password in the UI. Then, when that password change is done you would
update the value so that "first logon" would not be set.

You could probably do something like this fairly easy by just putting a
value into an existing AD attribute that you aren't using for anything else.
The rest of it would be logic you would have to build into your user
management UI.

Joe K.
 
S

Sylvain Girard

Sorry for this very late reply, but I'm facing the same kind of situation as dknigh.
The way I'm trying to handle it is this:
- user opens page
- enter current credentials + new password
- clicks OK button
- in the ChangingPassword event I use a DirectoryEntry object to uncheck that "Change password on next logon" field and use membership.validate to check the entered credentials, if invalid, check that particular option again

I still got a problem I can't put my finger on and that is when unchecking that option, the user validates, but the password isn't changed. When the user tries to change his password a second time, he is able to do it. The reason for this is that when he tries to do it the second time, the option is already unchecked.

This makes me think about some kind of delay, or maybe that password change control tries to validate the user before firing the ChangingPassword event...



dknigh wrote:

Re: ActiveDirectoryMembershipProvider & ChangePassword control
15-May-08

thanks Joe. Very helpfu

:

Previous Posts In This Thread:

ActiveDirectoryMembershipProvider & ChangePassword control
I'm using AD for my asp.net c# forms authentication. The login control works
great
However we need the provider to force a change of password when the AD
account's "User must change password on next login" attribute is set to true
Using DirectoryServices I can check to see if the attribute is set but when
I try to use the ChangePassword control it won't reset the password. I get a
"Password incorrect or New Password invalid. New Password length minimum: 7.
Non-alphanumeric characters required: 1" warning even though Iv'e met the
password rules
Does this provider support the ChangePassword control
Thanks.

"Change password at next login" is not supported via any type of LDAP auth
"Change password at next login" is not supported via any type of LDAP auth
which is what the membership provider uses, so essentially you can't do
this. As far as I know, you can only support this feature via interactive
logon

Joe K
--
Joe Kaplan-MS MVP Directory Services Programmin
Co-author of "The .NET Developer's Guide to Directory Services Programming
http://www.directoryprogramming.ne
-

Re: ActiveDirectoryMembershipProvider & ChangePassword control
What is an interactive logon

:

When you log on to a workstation or server at the terminal or through terminal
When you log on to a workstation or server at the terminal or through
terminal services

Joe K
--
Joe Kaplan-MS MVP Directory Services Programmin
Co-author of "The .NET Developer's Guide to Directory Services Programming
http://www.directoryprogramming.ne
-

This web app is externally facing and needs to use AD in our DMZ.
This web app is externally facing and needs to use AD in our DMZ

The process for creating and maintaining user accounts is this
1. a user requests an account using our web page
2. when approved, a LDAP call is made to create the account in AD
2a. the LDAP call creates the user
2b. sets a temporary password
2c. the password needs to be a temporary one. So the LDAP call sets the
"user must change password on next login" attribute. (we thought we could
force a change password by using this attribute
2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
needs to detect that the password they are using is a temporary one and then
force a change of the password

How would you suggest this be done?
If the ActiveDirectoryMembershipProvider does not support this attribute is
there another way of getting this funcitonality? Maybe a combination of
ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
attribute not supported?

Hope this makes sense.

-Dan

:

You'll have to custom code that somehow with some sort of "enhanced" AD
You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for
the provisioning piece and not just the credentials validation). You won't
be able to use the native function for "user must change password at next
logon".

Essentially, you would need to store some value in the user account
indicating "first logon" and if that is set, force the user to change the
password in the UI. Then, when that password change is done you would
update the value so that "first logon" would not be set.

You could probably do something like this fairly easy by just putting a
value into an existing AD attribute that you aren't using for anything else.
The rest of it would be logic you would have to build into your user
management UI.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Re: ActiveDirectoryMembershipProvider & ChangePassword control
thanks Joe. Very helpful

:

Forms validation force change password after first login
You are required to be a member to post replies. After logging in or becoming a member, you will be redirected back to this page.


Submitted via EggHeadCafe - Software Developer Portal of Choice
WPF Reflection Effect
http://www.eggheadcafe.com/tutorial...-beab-49bd76e20b9b/wpf-reflection-effect.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Staff online

Members online

Forum statistics

Threads
473,767
Messages
2,569,570
Members
45,045
Latest member
DRCM

Latest Threads

Top