Re: impersonation works on local xp not on web server

From: Joe Kaplan \(MVP - ADSI\) (
Date: 05/02/04

Date: Sun, 2 May 2004 10:41:40 -0500

Sorry for the delay. Below is a .NET ChangePassword routine I put together
for someone else. It basically attempts to find the user in AD by their
username using their old password to authenticate to AD. If it succeeds, it
tries the ChangePassword function.

One thing to watch out for is that ChangePassword only wants to work on a
128 secure SSL connection to the DC. Make sure you have your DC configured
with a valid certificate and you bind to it with the DNS name that the cert
is issued to.


Joe K.

    Private Sub ChangePassword(ByVal username As String, ByVal oldPassword
As String, ByVal newPassword As String)

        Dim dcDNS As String = "" 'use this if you want to supply a
server name
        Dim rootDN As String
        Dim rootDSE As DirectoryEntry
        Dim searchRoot As DirectoryEntry
        Dim userEntry As DirectoryEntry
        Dim searcher As DirectorySearcher
        Dim results As SearchResultCollection
        Dim result As SearchResult

            'note the authenicationtypes here
            'you need to either use SecureSocketsLayer for ChangePasswor
            rootDSE = New DirectoryEntry(String.Format("LDAP://{0}/rootDSE",
dcDNS), username, oldPassword, AuthenticationTypes.Secure Or
AuthenticationTypes.SecureSocketsLayer Or AuthenticationTypes.ServerBind)
            rootDN =
DirectCast(rootDSE.Properties("defaultNamingContext").Value, String)
            searchRoot = New DirectoryEntry(String.Format("LDAP://{0}/{1}",
dcDNS, rootDN), username, oldPassword, AuthenticationTypes.Secure Or
AuthenticationTypes.SecureSocketsLayer Or AuthenticationTypes.ServerBind)
            searcher = New DirectorySearcher(searchRoot)
            searcher.Filter = String.Format("sAMAccountName={0}", username)
            searcher.SearchScope = SearchScope.Subtree
            searcher.CacheResults = False

            'I use FindAll here because FindOne leaks memory if it does not
find anything
            'in .NET 1.0 and 1.1
            results = searcher.FindAll()
            For Each result In results
                'only use this method on .NET 1.1 or higher
                'otherwise, get the adsPath value and build a new
DirectoryEntry with the supplied credentials
                userEntry = result.GetDirectoryEntry()
                Exit For 'this is redundant because sAMAccountName is unique
in the domain, but it is done for clarity

            If userEntry Is Nothing Then
                Throw New InvalidOperationException("User not found in this
            End If

            userEntry.Invoke("ChangePassword", New Object() {oldPassword,

        Catch ex As System.Reflection.TargetInvocationException
            Throw ex.InnerException

        Finally 'these prevent other memory leaks
            If Not userEntry Is Nothing Then userEntry.Dispose()
            If Not results Is Nothing Then results.Dispose()
            If Not searcher Is Nothing Then searcher.Dispose()
            If Not searchRoot Is Nothing Then searchRoot.Dispose()
            If Not rootDSE Is Nothing Then rootDSE.Dispose()
        End Try
    End Sub

<> wrote in message
> I am trying to change passwords against AD. Any help would be appreciated.
> Thanks in advance!
> Sam

Relevant Pages