Re: AD password policy in Forms auth against AD
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/18/04
- Previous message: Nils Magnus Englund: "Re: AD password policy in Forms auth against AD"
- In reply to: Nils Magnus Englund: "Re: AD password policy in Forms auth against AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 18 Dec 2004 11:40:42 -0600
You might look into the built in facility with IIS6 to do some password
management stuff. There is some sample application that comes with it that
handles a lot of these features. I'm not actually quite sure how it works
and haven't used it personally, but it is probably worth looking into.
The other stuff on you list you can definitely accomplish except using LDAP
to change password when the password has expired or the user is in "password
must be changed at next logon" state. It just takes some work.
I don't necessarily see a problem with using AD for this, although there is
a good point to be made from a security standpoint of putting these users in
a separate forest and setting up a one-way trust. You might also be able to
use ADAM to store these users. That will depend on the application services
you need to provide for them.
Joe K.
"Nils Magnus Englund" <nils.magnus.englund@orkfin.no> wrote in message
news:%23OXPCKQ5EHA.2876@TK2MSFTNGP12.phx.gbl...
> Oh, that wasn't good news :(
>
> Do you think it's a good idea to do it like this, or perhaps I should find
> another method? I'm trying to avoid using any other storage medium than
> AD.
>
>
> Regards,
> Nils Magnus Englund
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:ecCz$WF5EHA.2676@TK2MSFTNGP12.phx.gbl...
>> This is going to be a lot of work if you plan to do this via LDAP.
>> You'll need a service account that can access the user account to read
>> all of their attributes and you'll need to learn how to determine all of
>> the various things that indicate these states. AD doesn't tell you why a
>> bind failed (due to lockout, disabled, expired, user must change
>> password, etc. vs. simple bad password), so you have to figure this out
>> for yourself.
>>
>> Joe K.
>>
>> "Nils Magnus Englund" <nils.magnus.englund@orkfin.no> wrote in message
>> news:eDXKeXC5EHA.1188@tk2msftngp13.phx.gbl...
>>> Hey!
>>>
>>> I've successfully followed Microsofts example on how to use Forms
>>> authentication with Active Directory (from the "Building Secure ASP.NET
>>> Applications" How To-section). However, I would very much like to use
>>> AD's password policy features, specifically:
>>>
>>> 1. I want the user to get a warning e.g. two weeks before his/hers
>>> password expires
>>>
>>> 2. I want the user to be able to change password (assuming the new
>>> password meets the requirements set by the password policy)
>>>
>>> 3. If the password has expired, I want the user to still be able to log
>>> in, but forced to change password in order to continue. (If this isn't
>>> possible with AD, I could set the expiration time to a year, and force
>>> the user to change password if there's less than 300 days left, in
>>> effect giving the user two months password expiration with another 300
>>> days before the user is disabled/blocked).
>>>
>>> Any ideas and/or suggestions? This will be used on a portal with several
>>> hundred customers, where all customers will be stored in a AD (in their
>>> own "External users" OU).
>>>
>>> Thanks!
>>>
>>>
>>> Regards,
>>> Nils Magnus Englund
>>>
>>
>>
>
>
- Previous message: Nils Magnus Englund: "Re: AD password policy in Forms auth against AD"
- In reply to: Nils Magnus Englund: "Re: AD password policy in Forms auth against AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
