Last post Jun 15, 2006 12:41 PM by dunnry
May 25, 2006 03:02 PM|gsathya|LINK
I am developing an ASP.NET (C#) web Authentication Module to Authenticate user and allowing the users to change their passwords before their password expires. Here are the following steps the application does
1. User Provided user name and password is validated against AD using LDAP.
2. Once the user is authenticated, compute the when the user's password will expire based on maximum password age and password last set.
3. if the password is going to expire within a predefined period (14 days) then take the user change password page/warning page wherein user can change their password or continue. In the application i used "change password" option not the "reset password".
user login to AD with their credentials and change their passwords. you know that AD alows you to change your own password.
Everything works fine, but the problem came when the user's password expired (Reason may be, user did not change the password during warning period and password expired or they did not log-in to the application for a while).
Once the password is expired even when the user provides a valid user name and password, LDAP call always return an exeption "Invalid Username or bad password" bcos of expired password. so based on the exception the application wont know whether login attemp
falied bcos of bad password or expired password.
Need advice/model on how to handle this situation. requirement is when login attemp fails i need to find out whether login filed bcos of password expiry or bad uname/password. if password expiry, then application must present the user with force change password
and user must change their password.
Thanks in advance
May 25, 2006 03:15 PM|gsathya|LINK
May 25, 2006 03:20 PM|dunnry|LINK
May 25, 2006 03:48 PM|gsathya|LINK
First.. Thanks for the Fast Response. I understand the first part. Let us assume that i have used some other/dummy credentials to check the user's account state and i have found that it is a valid account but the password for that account is expired. In
that case How do i do the second step you have mentioned ( if account is in a valid state, then use their credentials to bind and change password), because with their (user's) user name and pwd, you wont be able to even bind to AD (since password is expired)
Hope i am not making this difficult on you..
May 25, 2006 04:53 PM|gsathya|LINK
To make it simpler..what my client are asking is..in windows environment if the users are able to login and change password (grace login) even after their password expired, why cant this happen in web/forms world. All they want is for the users to change
their passwords themselves even after their password expired.
Only thing i am thinking that needs to happen now is..i will propose my client that, if the password is expired for the user (bcos of various reasons) then one of the following things should happen
1. User must contact the admin to reset the password.
2. Develop an another module which will use impersonated account to reset their password and send the info securedly
3. Develop another module which will ask whole lot of questions like security question/answer validate the user then allow the user to specify new password. in this case also i still need to use impersonated account to do password reset.
What do you think. Please let me know whether there any other model you know of that can hadle this situation.
May 26, 2006 10:00 AM|dunnry|LINK
May 26, 2006 12:39 PM|gsathya|LINK
May 26, 2006 04:39 PM|gsathya|LINK
Jun 14, 2006 05:26 PM|myourshaw|LINK
Jun 15, 2006 12:41 PM|dunnry|LINK