Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   How to change user account properties by ASP.NET? (http://www.velocityreviews.com/forums/t766857-how-to-change-user-account-properties-by-asp-net.html)

Evgeny Zoldin 11-23-2004 09:13 PM

How to change user account properties by ASP.NET?
 
Hi ALL.

I have the configuration:
1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
2. ASP.NET application A configured to authenticate only users from
local Users group.

I would like to de the following:
Logged on user is able through ASP.NET-Pages to change its own Logon
Username, Password and Full Name

I tried to implement it by the code (C#):

DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
User.Identity.Name);
deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***

If the logged on user belongs only to Users group then the statement ***
causes Exception "SystemUnautherizedException: General access denied error".
But as soon as that user has been included into Administrators group the
statement *** is executed well.

I know about impersonation possibility, but it requires to type clear
Administrators username and password in code-behind class that will be
published on target server.

So, what should I do in order to give to user the ability to change its
username, password and full name?
May be orginize on the target server a group, add the users into the group
and gain to this group some specils rights?

Thanx
Evgeny



Scott Allen 11-23-2004 09:32 PM

Re: How to change user account properties by ASP.NET?
 
Hi Evgeny:

>I know about impersonation possibility, but it requires to type clear
>Administrators username and password in code-behind class that will be
>published on target server.


If you use
<identity impersonate="true"/>
in the web.config file, than you are impersonating the client without
using an explicit username / password. This is probably the safest
approach, because only local admins would be able to change the
passwords for the local users.

You can put username and password attributes in the <indentity>
element and have the password encrypted in the registry. This is
described in the remarks section of the following:
http://msdn.microsoft.com/library/de...itysection.asp

Note however, that all users will then have a request impersonating an
admin, so it's a dangerous approach.

--
Scott
http://www.OdeToCode.com/blogs/scott/

Joe Kaplan \(MVP - ADSI\) 11-23-2004 09:49 PM

Re: How to change user account properties by ASP.NET?
 
Normally, a user can only call ChangePassword on themselves, not
ResetPassword. Administrators generally have rights to ResetPassword. The
latter doesn't require knowing the old password, the former does.

I think that will solve it.

Joe K.

"Evgeny Zoldin" <zoldin@hotmail.com> wrote in message
news:OeW$%23Ca0EHA.1256@TK2MSFTNGP10.phx.gbl...
> Hi ALL.
>
> I have the configuration:
> 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
> 2. ASP.NET application A configured to authenticate only users from
> local Users group.
>
> I would like to de the following:
> Logged on user is able through ASP.NET-Pages to change its own Logon
> Username, Password and Full Name
>
> I tried to implement it by the code (C#):
>
> DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
> User.Identity.Name);
> deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***
>
> If the logged on user belongs only to Users group then the statement ***
> causes Exception "SystemUnautherizedException: General access denied
> error".
> But as soon as that user has been included into Administrators group the
> statement *** is executed well.
>
> I know about impersonation possibility, but it requires to type clear
> Administrators username and password in code-behind class that will be
> published on target server.
>
> So, what should I do in order to give to user the ability to change its
> username, password and full name?
> May be orginize on the target server a group, add the users into the group
> and gain to this group some specils rights?
>
> Thanx
> Evgeny
>




Evgeny Zoldin 11-23-2004 10:37 PM

Re: How to change user account properties by ASP.NET?
 
Hi Scott,

thanks a lot for your help. One more question. is it possible to use
impresonating not for whole application but for selected page of them,
namely that where user will be change its data under imparsonated Admin
account?

Thank you in advance

Evgeny

"Scott Allen" <bitmask@[nospam].fred.net> wrote in message
news:9ra7q0t3440us63d0vce8pje4n0tl6igk1@4ax.com...
> Hi Evgeny:
>
>>I know about impersonation possibility, but it requires to type clear
>>Administrators username and password in code-behind class that will be
>>published on target server.

>
> If you use
> <identity impersonate="true"/>
> in the web.config file, than you are impersonating the client without
> using an explicit username / password. This is probably the safest
> approach, because only local admins would be able to change the
> passwords for the local users.
>
> You can put username and password attributes in the <indentity>
> element and have the password encrypted in the registry. This is
> described in the remarks section of the following:
> http://msdn.microsoft.com/library/de...itysection.asp
>
> Note however, that all users will then have a request impersonating an
> admin, so it's a dangerous approach.
>
> --
> Scott
> http://www.OdeToCode.com/blogs/scott/




Evgeny Zoldin 11-23-2004 10:40 PM

Re: How to change user account properties by ASP.NET?
 
Hi Joe,

thank you for your advice, but how can I get oldPassword of currently logged
User in ASP.NET for feed ChangePassword method?

Evgeny

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23q46FZa0EHA.2228@TK2MSFTNGP15.phx.gbl...
> Normally, a user can only call ChangePassword on themselves, not
> ResetPassword. Administrators generally have rights to ResetPassword.
> The latter doesn't require knowing the old password, the former does.
>
> I think that will solve it.
>
> Joe K.
>
> "Evgeny Zoldin" <zoldin@hotmail.com> wrote in message
> news:OeW$%23Ca0EHA.1256@TK2MSFTNGP10.phx.gbl...
>> Hi ALL.
>>
>> I have the configuration:
>> 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
>> 2. ASP.NET application A configured to authenticate only users from
>> local Users group.
>>
>> I would like to de the following:
>> Logged on user is able through ASP.NET-Pages to change its own Logon
>> Username, Password and Full Name
>>
>> I tried to implement it by the code (C#):
>>
>> DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
>> User.Identity.Name);
>> deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***
>>
>> If the logged on user belongs only to Users group then the statement ***
>> causes Exception "SystemUnautherizedException: General access denied
>> error".
>> But as soon as that user has been included into Administrators group the
>> statement *** is executed well.
>>
>> I know about impersonation possibility, but it requires to type clear
>> Administrators username and password in code-behind class that will be
>> published on target server.
>>
>> So, what should I do in order to give to user the ability to change its
>> username, password and full name?
>> May be orginize on the target server a group, add the users into the
>> group and gain to this group some specils rights?
>>
>> Thanx
>> Evgeny
>>

>
>




Joe Kaplan \(MVP - ADSI\) 11-23-2004 11:01 PM

Re: How to change user account properties by ASP.NET?
 
You would have to ask them for it unless you are using Basic authentication,
in which case you can just read the auth_password header. Most password
change processes prompt the user to enter the old password as well as the
new one to verify that the current user actually knows the old one, so I
don't think users will be too bothered by this.

Joe K.

"Evgeny Zoldin" <zoldin@hotmail.com> wrote in message
news:eGY5mza0EHA.2040@tk2msftngp13.phx.gbl...
> Hi Joe,
>
> thank you for your advice, but how can I get oldPassword of currently
> logged User in ASP.NET for feed ChangePassword method?
>
> Evgeny
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23q46FZa0EHA.2228@TK2MSFTNGP15.phx.gbl...
>> Normally, a user can only call ChangePassword on themselves, not
>> ResetPassword. Administrators generally have rights to ResetPassword.
>> The latter doesn't require knowing the old password, the former does.
>>
>> I think that will solve it.
>>
>> Joe K.
>>
>> "Evgeny Zoldin" <zoldin@hotmail.com> wrote in message
>> news:OeW$%23Ca0EHA.1256@TK2MSFTNGP10.phx.gbl...
>>> Hi ALL.
>>>
>>> I have the configuration:
>>> 1. WinXP PRO with MS IIS 5.0 and installed ASP.NET
>>> 2. ASP.NET application A configured to authenticate only users from
>>> local Users group.
>>>
>>> I would like to de the following:
>>> Logged on user is able through ASP.NET-Pages to change its own Logon
>>> Username, Password and Full Name
>>>
>>> I tried to implement it by the code (C#):
>>>
>>> DirectoryEntry deCurrUser = new DirectoryEntry("WinNT://" +
>>> User.Identity.Name);
>>> deCurrUser.Invoke("SetPassword", new string[]{"123"} ); // ***
>>>
>>> If the logged on user belongs only to Users group then the statement ***
>>> causes Exception "SystemUnautherizedException: General access denied
>>> error".
>>> But as soon as that user has been included into Administrators group the
>>> statement *** is executed well.
>>>
>>> I know about impersonation possibility, but it requires to type clear
>>> Administrators username and password in code-behind class that will be
>>> published on target server.
>>>
>>> So, what should I do in order to give to user the ability to change its
>>> username, password and full name?
>>> May be orginize on the target server a group, add the users into the
>>> group and gain to this group some specils rights?
>>>
>>> Thanx
>>> Evgeny
>>>

>>
>>

>
>




Scott Allen 11-24-2004 01:44 AM

Re: How to change user account properties by ASP.NET?
 
Yes, Evgeny. One way to do this is with a <location> entry.
http://msdn.microsoft.com/library/de...ionelement.asp

--
Scott
http://www.OdeToCode.com/blogs/scott/

On Tue, 23 Nov 2004 23:37:31 +0100, "Evgeny Zoldin"
<zoldin@hotmail.com> wrote:

>Hi Scott,
>
>thanks a lot for your help. One more question. is it possible to use
>impresonating not for whole application but for selected page of them,
>namely that where user will be change its data under imparsonated Admin
>account?
>
>Thank you in advance
>
>Evgeny
>




All times are GMT. The time now is 06:39 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.