Last post Feb 05, 2009 04:39 AM by jovenatheart
Nov 23, 2007 04:42 AM|jovenatheart|LINK
Some help needed here. I have a web application that is authenticating against the AD. I'm on windows authentication and that bit is working fine.
In a windows LAN environment, when the "user must change password on next logon" or the like option is checked in the AD, the dialogue box to change password is presented to the user. However, it won't work in the web application environment. Does anyone
have any idea if there's some error that I can catch/property that I can catch to get the users to change the password??
If not, then what's the usual algorithm like to implement something like this?? Or should I be using Forms authentication?? Any hints would be greatly appreciated.
Thanks in advance.
Nov 23, 2007 06:24 AM|johram|LINK
The attribute pwdLastSet has a value of zero when "User must change password at next logon" is checked. So you should be able to read this attribute and act upon it.
Nov 25, 2007 10:00 PM|jovenatheart|LINK
Thanks. It does what I want but I also realised that I can't check the "change password on logon" option. Else whatever I'm doing can't work.
Thanks once again. :)
May 30, 2008 01:10 PM|kphan714|LINK
I am also looking for a resolution for this case.
Unfortunately the suggestion to read the pwdLastSet attribute does not work because the user is unable to authenticate against IIS because "User must change password at next logon" is checked. So the login attempt fails and the user is unable to even enter
the ASP.NET code.
Does anyone have a suggestion on how to get this to work or know if this is even possible to acheive?
Jun 01, 2008 10:07 PM|jovenatheart|LINK
I actually managed to sort this one out a couple of months ago.
What I eventually did is to remove the "user must change password at next logon" option and the "expire password" option. I coded something in place of those options in my code. So it's kind of a bash through approach but with a deadline, it works, so
who really cares...
So what I did is, when the user enters the pages, i check for the pwdLastSet field in the AD. The value should be null or 1/1/1601 (can't remember offhand) if the password hasn't been changed before. So in my code, when I see that the date is either of
those values, I redirect the user to a page which requires them to change their password.
Jan 26, 2009 10:57 AM|jclaudias|LINK
Exactly what I was looking for. Only thing for me is I am very new to asp.net. I am not sure if I need to create a script or another asp.net page. Any suggestions on step approach to make this work.
Jan 27, 2009 11:26 AM|jovenatheart|LINK
i created another asp.net page that doesn't display to the user. I just redirect it there, process the stuff, then redirect accordingly. I guess you could create a class that your page can call or something if you want.
Jan 27, 2009 01:30 PM|jclaudias|LINK
How is exactly is it done. This is were I am leaning. If I could creat a script or asp.net page in the background that will look at the local user account to see if the password change variable is 1 which then would redirect user to a password.asp page
I have, then once they change new password hit ok, then script will redirect them to desired page. If the users password change variable is 0 they login to page normally.
Does this make sence and would you have any suggestions on how to go about this.
Feb 05, 2009 04:39 AM|jovenatheart|LINK
Here's what I have in my codes and it should help.
// you need a user id and password to the AD to retrieve any information from the AD. it also needs to have sufficient rights.
string domain = ConfigurationManager.ConnectionStrings["ADConnectionString"].ToString();
string adUser = ConfigurationManager.ConnectionStrings["ADUserId"].ToString();
string adPassword = ConfigurationManager.ConnectionStrings["ADUserPassword"].ToString();
// I copied this off somewhere.. it worked for me so i'm not going to question why
DirectoryEntry deRoot = new DirectoryEntry(domain, adUser, adPassword, AuthenticationTypes.Secure);
DirectorySearcher deSearch = new DirectorySearcher(deRoot);
deSearch.Filter = "(&(objectCategory=user)(ANR=" + <some field to find your user > + "))";
SearchResult oRes = deSearch.FindOne();
DateTime temp = new DateTime(1601, 1, 1);
TimeSpan ts = (DateTime.Now.Subtract(LoginSession.LastPasswordChange));
TimeSpan ts1 = (DateTime.Now.Subtract(LoginSession.LastLogin));
if (ts1.Days > 90)
else if (LoginSession.LastPasswordChange == temp) // users have to change password on first logon
else if (ts.Days > 90 && ts1.Days < 90) // users have to change password after 90 days.