Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ActiveDirectoryMembershipProvider & ChangePassword control

Reply
Thread Tools

ActiveDirectoryMembershipProvider & ChangePassword control

 
 
dknight
Guest
Posts: n/a
 
      05-14-2008
I'm using AD for my asp.net c# forms authentication. The login control works
great.
However we need the provider to force a change of password when the AD
account's "User must change password on next login" attribute is set to true.
Using DirectoryServices I can check to see if the attribute is set but when
I try to use the ChangePassword control it won't reset the password. I get a
"Password incorrect or New Password invalid. New Password length minimum: 7.
Non-alphanumeric characters required: 1" warning even though Iv'e met the
password rules.
Does this provider support the ChangePassword control?
Thanks.

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      05-14-2008
"Change password at next login" is not supported via any type of LDAP auth
which is what the membership provider uses, so essentially you can't do
this. As far as I know, you can only support this feature via interactive
logon.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"dknight" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm using AD for my asp.net c# forms authentication. The login control
> works
> great.
> However we need the provider to force a change of password when the AD
> account's "User must change password on next login" attribute is set to
> true.
> Using DirectoryServices I can check to see if the attribute is set but
> when
> I try to use the ChangePassword control it won't reset the password. I get
> a
> "Password incorrect or New Password invalid. New Password length minimum:
> 7.
> Non-alphanumeric characters required: 1" warning even though Iv'e met the
> password rules.
> Does this provider support the ChangePassword control?
> Thanks.
>



 
Reply With Quote
 
 
 
 
dknight
Guest
Posts: n/a
 
      05-14-2008
What is an interactive logon?

"Joe Kaplan" wrote:

> "Change password at next login" is not supported via any type of LDAP auth
> which is what the membership provider uses, so essentially you can't do
> this. As far as I know, you can only support this feature via interactive
> logon.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "dknight" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I'm using AD for my asp.net c# forms authentication. The login control
> > works
> > great.
> > However we need the provider to force a change of password when the AD
> > account's "User must change password on next login" attribute is set to
> > true.
> > Using DirectoryServices I can check to see if the attribute is set but
> > when
> > I try to use the ChangePassword control it won't reset the password. I get
> > a
> > "Password incorrect or New Password invalid. New Password length minimum:
> > 7.
> > Non-alphanumeric characters required: 1" warning even though Iv'e met the
> > password rules.
> > Does this provider support the ChangePassword control?
> > Thanks.
> >

>
>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      05-14-2008
When you log on to a workstation or server at the terminal or through
terminal services.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"dknight" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What is an interactive logon?
>
> "Joe Kaplan" wrote:
>
>> "Change password at next login" is not supported via any type of LDAP
>> auth
>> which is what the membership provider uses, so essentially you can't do
>> this. As far as I know, you can only support this feature via
>> interactive
>> logon.
>>
>> Joe K.
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "dknight" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > I'm using AD for my asp.net c# forms authentication. The login control
>> > works
>> > great.
>> > However we need the provider to force a change of password when the AD
>> > account's "User must change password on next login" attribute is set to
>> > true.
>> > Using DirectoryServices I can check to see if the attribute is set but
>> > when
>> > I try to use the ChangePassword control it won't reset the password. I
>> > get
>> > a
>> > "Password incorrect or New Password invalid. New Password length
>> > minimum:
>> > 7.
>> > Non-alphanumeric characters required: 1" warning even though Iv'e met
>> > the
>> > password rules.
>> > Does this provider support the ChangePassword control?
>> > Thanks.
>> >

>>
>>
>>



 
Reply With Quote
 
dknight
Guest
Posts: n/a
 
      05-15-2008
This web app is externally facing and needs to use AD in our DMZ.

The process for creating and maintaining user accounts is this:
1. a user requests an account using our web page.
2. when approved, a LDAP call is made to create the account in AD.
2a. the LDAP call creates the user.
2b. sets a temporary password.
2c. the password needs to be a temporary one. So the LDAP call sets the
"user must change password on next login" attribute. (we thought we could
force a change password by using this attribute)
2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
needs to detect that the password they are using is a temporary one and then
force a change of the password.

How would you suggest this be done?
If the ActiveDirectoryMembershipProvider does not support this attribute is
there another way of getting this funcitonality? Maybe a combination of
ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
attribute not supported?

Hope this makes sense.

-Dan

"Joe Kaplan" wrote:

> When you log on to a workstation or server at the terminal or through
> terminal services.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "dknight" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > What is an interactive logon?
> >
> > "Joe Kaplan" wrote:
> >
> >> "Change password at next login" is not supported via any type of LDAP
> >> auth
> >> which is what the membership provider uses, so essentially you can't do
> >> this. As far as I know, you can only support this feature via
> >> interactive
> >> logon.
> >>
> >> Joe K.
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> --
> >> "dknight" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > I'm using AD for my asp.net c# forms authentication. The login control
> >> > works
> >> > great.
> >> > However we need the provider to force a change of password when the AD
> >> > account's "User must change password on next login" attribute is set to
> >> > true.
> >> > Using DirectoryServices I can check to see if the attribute is set but
> >> > when
> >> > I try to use the ChangePassword control it won't reset the password. I
> >> > get
> >> > a
> >> > "Password incorrect or New Password invalid. New Password length
> >> > minimum:
> >> > 7.
> >> > Non-alphanumeric characters required: 1" warning even though Iv'e met
> >> > the
> >> > password rules.
> >> > Does this provider support the ChangePassword control?
> >> > Thanks.
> >> >
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      05-15-2008
You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for
the provisioning piece and not just the credentials validation). You won't
be able to use the native function for "user must change password at next
logon".

Essentially, you would need to store some value in the user account
indicating "first logon" and if that is set, force the user to change the
password in the UI. Then, when that password change is done you would
update the value so that "first logon" would not be set.

You could probably do something like this fairly easy by just putting a
value into an existing AD attribute that you aren't using for anything else.
The rest of it would be logic you would have to build into your user
management UI.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"dknight" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This web app is externally facing and needs to use AD in our DMZ.
>
> The process for creating and maintaining user accounts is this:
> 1. a user requests an account using our web page.
> 2. when approved, a LDAP call is made to create the account in AD.
> 2a. the LDAP call creates the user.
> 2b. sets a temporary password.
> 2c. the password needs to be a temporary one. So the LDAP call sets the
> "user must change password on next login" attribute. (we thought we could
> force a change password by using this attribute)
> 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
> needs to detect that the password they are using is a temporary one and
> then
> force a change of the password.
>
> How would you suggest this be done?
> If the ActiveDirectoryMembershipProvider does not support this attribute
> is
> there another way of getting this funcitonality? Maybe a combination of
> ActiveDirectoryMembershipProvider and DirectoryServices coding to check
> the
> attribute not supported?
>
> Hope this makes sense.
>
> -Dan
>
> "Joe Kaplan" wrote:
>
>> When you log on to a workstation or server at the terminal or through
>> terminal services.
>>
>> Joe K.
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "dknight" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > What is an interactive logon?
>> >
>> > "Joe Kaplan" wrote:
>> >
>> >> "Change password at next login" is not supported via any type of LDAP
>> >> auth
>> >> which is what the membership provider uses, so essentially you can't
>> >> do
>> >> this. As far as I know, you can only support this feature via
>> >> interactive
>> >> logon.
>> >>
>> >> Joe K.
>> >> --
>> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> Programming"
>> >> http://www.directoryprogramming.net
>> >> --
>> >> "dknight" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > I'm using AD for my asp.net c# forms authentication. The login
>> >> > control
>> >> > works
>> >> > great.
>> >> > However we need the provider to force a change of password when the
>> >> > AD
>> >> > account's "User must change password on next login" attribute is set
>> >> > to
>> >> > true.
>> >> > Using DirectoryServices I can check to see if the attribute is set
>> >> > but
>> >> > when
>> >> > I try to use the ChangePassword control it won't reset the password.
>> >> > I
>> >> > get
>> >> > a
>> >> > "Password incorrect or New Password invalid. New Password length
>> >> > minimum:
>> >> > 7.
>> >> > Non-alphanumeric characters required: 1" warning even though Iv'e
>> >> > met
>> >> > the
>> >> > password rules.
>> >> > Does this provider support the ChangePassword control?
>> >> > Thanks.
>> >> >
>> >>
>> >>
>> >>

>>
>>
>>



 
Reply With Quote
 
dknight
Guest
Posts: n/a
 
      05-15-2008
thanks Joe. Very helpful

"Joe Kaplan" wrote:

> You'll have to custom code that somehow with some sort of "enhanced" AD
> membership provider (if you still want to use the membership provider for
> the provisioning piece and not just the credentials validation). You won't
> be able to use the native function for "user must change password at next
> logon".
>
> Essentially, you would need to store some value in the user account
> indicating "first logon" and if that is set, force the user to change the
> password in the UI. Then, when that password change is done you would
> update the value so that "first logon" would not be set.
>
> You could probably do something like this fairly easy by just putting a
> value into an existing AD attribute that you aren't using for anything else.
> The rest of it would be logic you would have to build into your user
> management UI.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "dknight" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > This web app is externally facing and needs to use AD in our DMZ.
> >
> > The process for creating and maintaining user accounts is this:
> > 1. a user requests an account using our web page.
> > 2. when approved, a LDAP call is made to create the account in AD.
> > 2a. the LDAP call creates the user.
> > 2b. sets a temporary password.
> > 2c. the password needs to be a temporary one. So the LDAP call sets the
> > "user must change password on next login" attribute. (we thought we could
> > force a change password by using this attribute)
> > 2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
> > needs to detect that the password they are using is a temporary one and
> > then
> > force a change of the password.
> >
> > How would you suggest this be done?
> > If the ActiveDirectoryMembershipProvider does not support this attribute
> > is
> > there another way of getting this funcitonality? Maybe a combination of
> > ActiveDirectoryMembershipProvider and DirectoryServices coding to check
> > the
> > attribute not supported?
> >
> > Hope this makes sense.
> >
> > -Dan
> >
> > "Joe Kaplan" wrote:
> >
> >> When you log on to a workstation or server at the terminal or through
> >> terminal services.
> >>
> >> Joe K.
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> --
> >> "dknight" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > What is an interactive logon?
> >> >
> >> > "Joe Kaplan" wrote:
> >> >
> >> >> "Change password at next login" is not supported via any type of LDAP
> >> >> auth
> >> >> which is what the membership provider uses, so essentially you can't
> >> >> do
> >> >> this. As far as I know, you can only support this feature via
> >> >> interactive
> >> >> logon.
> >> >>
> >> >> Joe K.
> >> >> --
> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> Programming"
> >> >> http://www.directoryprogramming.net
> >> >> --
> >> >> "dknight" <(E-Mail Removed)> wrote in message
> >> >> news:(E-Mail Removed)...
> >> >> > I'm using AD for my asp.net c# forms authentication. The login
> >> >> > control
> >> >> > works
> >> >> > great.
> >> >> > However we need the provider to force a change of password when the
> >> >> > AD
> >> >> > account's "User must change password on next login" attribute is set
> >> >> > to
> >> >> > true.
> >> >> > Using DirectoryServices I can check to see if the attribute is set
> >> >> > but
> >> >> > when
> >> >> > I try to use the ChangePassword control it won't reset the password.
> >> >> > I
> >> >> > get
> >> >> > a
> >> >> > "Password incorrect or New Password invalid. New Password length
> >> >> > minimum:
> >> >> > 7.
> >> >> > Non-alphanumeric characters required: 1" warning even though Iv'e
> >> >> > met
> >> >> > the
> >> >> > password rules.
> >> >> > Does this provider support the ChangePassword control?
> >> >> > Thanks.
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
Sylvain Girard
Guest
Posts: n/a
 
      04-27-2010
Sorry for this very late reply, but I'm facing the same kind of situation as dknigh.
The way I'm trying to handle it is this:
- user opens page
- enter current credentials + new password
- clicks OK button
- in the ChangingPassword event I use a DirectoryEntry object to uncheck that "Change password on next logon" field and use membership.validate to check the entered credentials, if invalid, check that particular option again

I still got a problem I can't put my finger on and that is when unchecking that option, the user validates, but the password isn't changed. When the user tries to change his password a second time, he is able to do it. The reason for this is that when he tries to do it the second time, the option is already unchecked.

This makes me think about some kind of delay, or maybe that password change control tries to validate the user before firing the ChangingPassword event...



dknigh wrote:

Re: ActiveDirectoryMembershipProvider & ChangePassword control
15-May-08

thanks Joe. Very helpfu

"Joe Kaplan" wrote:

Previous Posts In This Thread:

On Wednesday, May 14, 2008 3:05 PM
dknigh wrote:

ActiveDirectoryMembershipProvider & ChangePassword control
I'm using AD for my asp.net c# forms authentication. The login control works
great
However we need the provider to force a change of password when the AD
account's "User must change password on next login" attribute is set to true
Using DirectoryServices I can check to see if the attribute is set but when
I try to use the ChangePassword control it won't reset the password. I get a
"Password incorrect or New Password invalid. New Password length minimum: 7.
Non-alphanumeric characters required: 1" warning even though Iv'e met the
password rules
Does this provider support the ChangePassword control
Thanks.

On Wednesday, May 14, 2008 4:05 PM
Joe Kaplan wrote:

"Change password at next login" is not supported via any type of LDAP auth
"Change password at next login" is not supported via any type of LDAP auth
which is what the membership provider uses, so essentially you can't do
this. As far as I know, you can only support this feature via interactive
logon

Joe K
--
Joe Kaplan-MS MVP Directory Services Programmin
Co-author of "The .NET Developer's Guide to Directory Services Programming
http://www.directoryprogramming.ne
-
"dknight" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

On Wednesday, May 14, 2008 4:50 PM
dknigh wrote:

Re: ActiveDirectoryMembershipProvider & ChangePassword control
What is an interactive logon

"Joe Kaplan" wrote:

On Wednesday, May 14, 2008 7:12 PM
Joe Kaplan wrote:

When you log on to a workstation or server at the terminal or through terminal
When you log on to a workstation or server at the terminal or through
terminal services

Joe K
--
Joe Kaplan-MS MVP Directory Services Programmin
Co-author of "The .NET Developer's Guide to Directory Services Programming
http://www.directoryprogramming.ne
-
"dknight" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

On Thursday, May 15, 2008 12:47 PM
dknigh wrote:

This web app is externally facing and needs to use AD in our DMZ.
This web app is externally facing and needs to use AD in our DMZ

The process for creating and maintaining user accounts is this
1. a user requests an account using our web page
2. when approved, a LDAP call is made to create the account in AD
2a. the LDAP call creates the user
2b. sets a temporary password
2c. the password needs to be a temporary one. So the LDAP call sets the
"user must change password on next login" attribute. (we thought we could
force a change password by using this attribute
2d. when logging, in the web app(using ActiveDirectoryMembershipProvider)
needs to detect that the password they are using is a temporary one and then
force a change of the password

How would you suggest this be done?
If the ActiveDirectoryMembershipProvider does not support this attribute is
there another way of getting this funcitonality? Maybe a combination of
ActiveDirectoryMembershipProvider and DirectoryServices coding to check the
attribute not supported?

Hope this makes sense.

-Dan

"Joe Kaplan" wrote:

On Thursday, May 15, 2008 1:07 PM
Joe Kaplan wrote:

You'll have to custom code that somehow with some sort of "enhanced" AD
You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for
the provisioning piece and not just the credentials validation). You won't
be able to use the native function for "user must change password at next
logon".

Essentially, you would need to store some value in the user account
indicating "first logon" and if that is set, force the user to change the
password in the UI. Then, when that password change is done you would
update the value so that "first logon" would not be set.

You could probably do something like this fairly easy by just putting a
value into an existing AD attribute that you aren't using for anything else.
The rest of it would be logic you would have to build into your user
management UI.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"dknight" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

On Thursday, May 15, 2008 1:15 PM
dknigh wrote:

Re: ActiveDirectoryMembershipProvider & ChangePassword control
thanks Joe. Very helpful

"Joe Kaplan" wrote:

On Wednesday, June 03, 2009 3:43 PM
Jerry Mollis wrote:

Forms validation force change password after first login
You are required to be a member to post replies. After logging in or becoming a member, you will be redirected back to this page.


Submitted via EggHeadCafe - Software Developer Portal of Choice
WPF Reflection Effect
http://www.eggheadcafe.com/tutorials...on-effect.aspx
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding security question/answer check to ASP.NET *ChangePassword* control Ken Fine ASP .Net 2 08-25-2008 01:20 AM
ChangePassword control not showing failure message PJ6 ASP .Net 1 04-13-2008 10:04 AM
NewPasswordRegularExpression bug in ChangePassword control Dmitry Duginov ASP .Net 9 02-27-2008 10:45 AM
changepassword control problems davidr@sharpesoft.com ASP .Net 0 07-17-2006 08:30 PM
Question about ChangePassword control Evgeny ASP .Net 2 01-28-2006 04:55 PM



Advertisments