| Groups | Blog | Home |
asp.net security : ActiveDirectoryMembershipProvider & ChangePassword control
great. However we need the provider to force a change of password when the AD account's "User must change password on next login" attribute is set to true. Using DirectoryServices I can check to see if the attribute is set but when I try to use the ChangePassword control it won't reset the password. I get a "Password incorrect or New Password invalid. New Password length minimum: 7. Non-alphanumeric characters required: 1" warning even though Iv'e met the password rules. Does this provider support the ChangePassword control? Thanks.
What is an interactive logon?
[quoted text, click to view] "Joe Kaplan" wrote:
> "Change password at next login" is not supported via any type of LDAP auth > which is what the membership provider uses, so essentially you can't do > this. As far as I know, you can only support this feature via interactive > logon. > > Joe K. > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "dknight" <dknight@discussions.microsoft.com> wrote in message > news:352A1A2B-BFE7-4836-912D-52B5AC84B262@microsoft.com... > > I'm using AD for my asp.net c# forms authentication. The login control > > works > > great. > > However we need the provider to force a change of password when the AD > > account's "User must change password on next login" attribute is set to > > true. > > Using DirectoryServices I can check to see if the attribute is set but > > when > > I try to use the ChangePassword control it won't reset the password. I get > > a > > "Password incorrect or New Password invalid. New Password length minimum: > > 7. > > Non-alphanumeric characters required: 1" warning even though Iv'e met the > > password rules. > > Does this provider support the ChangePassword control? > > Thanks. > > > >
"Change password at next login" is not supported via any type of LDAP auth
which is what the membership provider uses, so essentially you can't do this. As far as I know, you can only support this feature via interactive logon. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "dknight" <dknight@discussions.microsoft.com> wrote in message news:352A1A2B-BFE7-4836-912D-52B5AC84B262@microsoft.com... > I'm using AD for my asp.net c# forms authentication. The login control > works > great. > However we need the provider to force a change of password when the AD > account's "User must change password on next login" attribute is set to > true. > Using DirectoryServices I can check to see if the attribute is set but > when > I try to use the ChangePassword control it won't reset the password. I get > a > "Password incorrect or New Password invalid. New Password length minimum: > 7. > Non-alphanumeric characters required: 1" warning even though Iv'e met the > password rules. > Does this provider support the ChangePassword control? > Thanks. >
When you log on to a workstation or server at the terminal or through
terminal services. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "dknight" <dknight@discussions.microsoft.com> wrote in message news:55F5AD40-A86E-452F-980A-45FA83B9E63D@microsoft.com... > What is an interactive logon? > > "Joe Kaplan" wrote: > >> "Change password at next login" is not supported via any type of LDAP >> auth >> which is what the membership provider uses, so essentially you can't do >> this. As far as I know, you can only support this feature via >> interactive >> logon. >> >> Joe K. >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "dknight" <dknight@discussions.microsoft.com> wrote in message >> news:352A1A2B-BFE7-4836-912D-52B5AC84B262@microsoft.com... >> > I'm using AD for my asp.net c# forms authentication. The login control >> > works >> > great. >> > However we need the provider to force a change of password when the AD >> > account's "User must change password on next login" attribute is set to >> > true. >> > Using DirectoryServices I can check to see if the attribute is set but >> > when >> > I try to use the ChangePassword control it won't reset the password. I >> > get >> > a >> > "Password incorrect or New Password invalid. New Password length >> > minimum: >> > 7. >> > Non-alphanumeric characters required: 1" warning even though Iv'e met >> > the >> > password rules. >> > Does this provider support the ChangePassword control? >> > Thanks. >> > >> >> >>
This web app is externally facing and needs to use AD in our DMZ.
The process for creating and maintaining user accounts is this: 1. a user requests an account using our web page. 2. when approved, a LDAP call is made to create the account in AD. 2a. the LDAP call creates the user. 2b. sets a temporary password. 2c. the password needs to be a temporary one. So the LDAP call sets the "user must change password on next login" attribute. (we thought we could force a change password by using this attribute) 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider) needs to detect that the password they are using is a temporary one and then force a change of the password. How would you suggest this be done? If the ActiveDirectoryMembershipProvider does not support this attribute is there another way of getting this funcitonality? Maybe a combination of ActiveDirectoryMembershipProvider and DirectoryServices coding to check the attribute not supported? Hope this makes sense. -Dan [quoted text, click to view] "Joe Kaplan" wrote:
> When you log on to a workstation or server at the terminal or through > terminal services. > > Joe K. > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "dknight" <dknight@discussions.microsoft.com> wrote in message > news:55F5AD40-A86E-452F-980A-45FA83B9E63D@microsoft.com... > > What is an interactive logon? > > > > "Joe Kaplan" wrote: > > > >> "Change password at next login" is not supported via any type of LDAP > >> auth > >> which is what the membership provider uses, so essentially you can't do > >> this. As far as I know, you can only support this feature via > >> interactive > >> logon. > >> > >> Joe K. > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "dknight" <dknight@discussions.microsoft.com> wrote in message > >> news:352A1A2B-BFE7-4836-912D-52B5AC84B262@microsoft.com... > >> > I'm using AD for my asp.net c# forms authentication. The login control > >> > works > >> > great. > >> > However we need the provider to force a change of password when the AD > >> > account's "User must change password on next login" attribute is set to > >> > true. > >> > Using DirectoryServices I can check to see if the attribute is set but > >> > when > >> > I try to use the ChangePassword control it won't reset the password. I > >> > get > >> > a > >> > "Password incorrect or New Password invalid. New Password length > >> > minimum: > >> > 7. > >> > Non-alphanumeric characters required: 1" warning even though Iv'e met > >> > the > >> > password rules. > >> > Does this provider support the ChangePassword control? > >> > Thanks. > >> > > >> > >> > >> > >
thanks Joe. Very helpful
[quoted text, click to view] "Joe Kaplan" wrote:
> You'll have to custom code that somehow with some sort of "enhanced" AD > membership provider (if you still want to use the membership provider for > the provisioning piece and not just the credentials validation). You won't > be able to use the native function for "user must change password at next > logon". > > Essentially, you would need to store some value in the user account > indicating "first logon" and if that is set, force the user to change the > password in the UI. Then, when that password change is done you would > update the value so that "first logon" would not be set. > > You could probably do something like this fairly easy by just putting a > value into an existing AD attribute that you aren't using for anything else. > The rest of it would be logic you would have to build into your user > management UI. > > Joe K. > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "dknight" <dknight@discussions.microsoft.com> wrote in message > news:A27AC1EE-CB90-489A-8F90-98D9569EA859@microsoft.com... > > This web app is externally facing and needs to use AD in our DMZ. > > > > The process for creating and maintaining user accounts is this: > > 1. a user requests an account using our web page. > > 2. when approved, a LDAP call is made to create the account in AD. > > 2a. the LDAP call creates the user. > > 2b. sets a temporary password. > > 2c. the password needs to be a temporary one. So the LDAP call sets the > > "user must change password on next login" attribute. (we thought we could > > force a change password by using this attribute) > > 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider) > > needs to detect that the password they are using is a temporary one and > > then > > force a change of the password. > > > > How would you suggest this be done? > > If the ActiveDirectoryMembershipProvider does not support this attribute > > is > > there another way of getting this funcitonality? Maybe a combination of > > ActiveDirectoryMembershipProvider and DirectoryServices coding to check > > the > > attribute not supported? > > > > Hope this makes sense. > > > > -Dan > > > > "Joe Kaplan" wrote: > > > >> When you log on to a workstation or server at the terminal or through > >> terminal services. > >> > >> Joe K. > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "dknight" <dknight@discussions.microsoft.com> wrote in message > >> news:55F5AD40-A86E-452F-980A-45FA83B9E63D@microsoft.com... > >> > What is an interactive logon? > >> > > >> > "Joe Kaplan" wrote: > >> > > >> >> "Change password at next login" is not supported via any type of LDAP > >> >> auth > >> >> which is what the membership provider uses, so essentially you can't > >> >> do > >> >> this. As far as I know, you can only support this feature via > >> >> interactive > >> >> logon. > >> >> > >> >> Joe K. > >> >> -- > >> >> Joe Kaplan-MS MVP Directory Services Programming > >> >> Co-author of "The .NET Developer's Guide to Directory Services > >> >> Programming" > >> >> http://www.directoryprogramming.net > >> >> -- > >> >> "dknight" <dknight@discussions.microsoft.com> wrote in message > >> >> news:352A1A2B-BFE7-4836-912D-52B5AC84B262@microsoft.com... > >> >> > I'm using AD for my asp.net c# forms authentication. The login > >> >> > control > >> >> > works > >> >> > great. > >> >> > However we need the provider to force a change of password when the > >> >> > AD > >> >> > account's "User must change password on next login" attribute is set > >> >> > to > >> >> > true. > >> >> > Using DirectoryServices I can check to see if the attribute is set > >> >> > but > >> >> > when > >> >> > I try to use the ChangePassword control it won't reset the password. > >> >> > I > >> >> > get > >> >> > a > >> >> > "Password incorrect or New Password invalid. New Password length > >> >> > minimum: > >> >> > 7. > >> >> > Non-alphanumeric characters required: 1" warning even though Iv'e > >> >> > met > >> >> > the > >> >> > password rules. > >> >> > Does this provider support the ChangePassword control? > >> >> > Thanks. > >> >> > > >> >> > >> >> > >> >> > >> > >> > >> > >
You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for the provisioning piece and not just the credentials validation). You won't be able to use the native function for "user must change password at next logon". Essentially, you would need to store some value in the user account indicating "first logon" and if that is set, force the user to change the password in the UI. Then, when that password change is done you would update the value so that "first logon" would not be set. You could probably do something like this fairly easy by just putting a value into an existing AD attribute that you aren't using for anything else. The rest of it would be logic you would have to build into your user management UI. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "dknight" <dknight@discussions.microsoft.com> wrote in message news:A27AC1EE-CB90-489A-8F90-98D9569EA859@microsoft.com... > This web app is externally facing and needs to use AD in our DMZ. > > The process for creating and maintaining user accounts is this: > 1. a user requests an account using our web page. > 2. when approved, a LDAP call is made to create the account in AD. > 2a. the LDAP call creates the user. > 2b. sets a temporary password. > 2c. the password needs to be a temporary one. So the LDAP call sets the > "user must change password on next login" attribute. (we thought we could > force a change password by using this attribute) > 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider) > needs to detect that the password they are using is a temporary one and > then > force a change of the password. > > How would you suggest this be done? > If the ActiveDirectoryMembershipProvider does not support this attribute > is > there another way of getting this funcitonality? Maybe a combination of > ActiveDirectoryMembershipProvider and DirectoryServices coding to check > the > attribute not supported? > > Hope this makes sense. > > -Dan > > "Joe Kaplan" wrote: > >> When you log on to a workstation or server at the terminal or through >> terminal services. >> >> Joe K. >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "dknight" <dknight@discussions.microsoft.com> wrote in message >> news:55F5AD40-A86E-452F-980A-45FA83B9E63D@microsoft.com... >> > What is an interactive logon? >> > >> > "Joe Kaplan" wrote: >> > >> >> "Change password at next login" is not supported via any type of LDAP >> >> auth >> >> which is what the membership provider uses, so essentially you can't >> >> do >> >> this. As far as I know, you can only support this feature via >> >> interactive >> >> logon. >> >> >> >> Joe K. >> >> -- >> >> Joe Kaplan-MS MVP Directory Services Programming >> >> Co-author of "The .NET Developer's Guide to Directory Services >> >> Programming" >> >> http://www.directoryprogramming.net >> >> -- >> >> "dknight" <dknight@discussions.microsoft.com> wrote in message >> >> news:352A1A2B-BFE7-4836-912D-52B5AC84B262@microsoft.com... >> >> > I'm using AD for my asp.net c# forms authentication. The login >> >> > control >> >> > works >> >> > great. >> >> > However we need the provider to force a change of password when the >> >> > AD >> >> > account's "User must change password on next login" attribute is set >> >> > to >> >> > true. >> >> > Using DirectoryServices I can check to see if the attribute is set >> >> > but >> >> > when >> >> > I try to use the ChangePassword control it won't reset the password. >> >> > I >> >> > get >> >> > a >> >> > "Password incorrect or New Password invalid. New Password length >> >> > minimum: >> >> > 7. >> >> > Non-alphanumeric characters required: 1" warning even though Iv'e >> >> > met >> >> > the >> >> > password rules. >> >> > Does this provider support the ChangePassword control? >> >> > Thanks. >> >> > >> >> >> >> >> >> >> >> >>
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |