Re: Changing domain user password

I wanted to allow a user to change their password to something else, so
maybe I've been confusing myself here. Our server is Win2K, and I was
changing the processModel section due to some info I found on the 'Net. I
can put it back to it's original form. Would you recommend upgrading to the
..NET framework 2.0 as well?

Basically, I'm looking for an example of allowing a user to hit the site,
enter their current password, and then enter a new one, using ASP.NET and
System.Directory services.

Sorry for the confusion, and thanks again for any help.
Harry

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23znXXqwBGHA.1144@xxxxxxxxxxxxxxxxxxxxxxx
>I thought you were doing password changes, not resets. There are actually
>important differences on how that is approached.
>
> It sounds like this is running on Win2K or XP, right? That's why you are
> editing the processModel section.
>
> It also looks like you are using the 1.0 version of the .NET Framework.
> Any reason for that? 1.1 or 2.0 would be preferred. The 1.0.3300.0
> version for System.DirectoryServices points to the 1.0 framework.
>
> If you have changed the process model account, there is no reason to also
> impersonate the same account in code. The process account will be running
> as the admin user. However, this is generally not considered a good
> practice, especially if other apps may be running on the same server as
> they will all run under this administrative account and have more
> privileges than they should.
>
> Can you also show the exact line where this is crashing? If they page
> displays, it seems like there should be some indication of what the
> problem was on the postback.
>
> Joe K.
>
> "Harry Devine" <hdevine@xxxxxxxxxxxxxxxx> wrote in message
> news:eZ8u$cvBGHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
>> I'm reasonably sure ASP.NET is working (the .aspx page that I'm putting
>> below comes up), but this is my first try at programming anything in it,
>> so take that for what it's worth. I'm including the code for the
>> reset.aspx file and web.config. The only change that I made to
>> machine.config was to change the username and password under the
>> processModel section to be my domain admin account (I found that
>> suggestion somewhere on the Web while researching the error).
>>
>> Thanks for any help,
>> Harry
>>
>> reset.aspx:
>> <%@ Assembly Name="System.DirectoryServices, Version=1.0.3300.0,
>> Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>
>> <%@ Assembly Name="Dunnry.Security" %>
>>
>> <%@ Import Namespace="System.DirectoryServices" %>
>> <%@ Import Namespace="Dunnry.Security" %>
>>
>> <HTML>
>> <script language="C#" runat="server">
>>
>> void Page_Load(Object Src, EventArgs E ) {
>> if(!Page.IsPostBack)
>> {
>>
>> }
>> }
>>
>> private void ResetPassword(object sender, EventArgs e)
>> {
>> //for impersonation
>> string username = "AdminUser";
>> string password = "adminpwd";
>> string domain = "domain";
>>
>> Impersonate i = new
>> Impersonate(LogonProvider.LOGON32_PROVIDER_WINNT50);
>> i.ImpersonateUser(username, domain, password);
>>
>> string ldapPath = LDAP://dc=mydomain,dc=com;
>> DirectoryEntry de = new DirectoryEntry(ldapPath);
>> de.AuthenticationType = AuthenticationTypes.Secure;
>> string qry =
>> String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))",
>> txtUsername.Text);
>>
>> DirectorySearcher ds = new DirectorySearcher(de,qry);
>> SearchResult sr = ds.FindOne();
>>
>> if(sr==null)
>> {
>> lblMessage.Text = "User not found";
>> return;
>> }
>>
>> try
>> {
>> DirectoryEntry user = sr.GetDirectoryEntry();
>> user.AuthenticationType = AuthenticationTypes.Secure;
>> user.Invoke("SetPassword", new object[]{txtPassword.Text});
>> lblMessage.Text = "Success <br>";
>> }
>> catch(Exception ex)
>> {
>> //throw ex;
>> lblMessage.Text = "Failure: " + ex.Message;
>> if(ex.InnerException != null)
>> lblMessage.Text += "<br>" + ex.InnerException.Message;
>> }
>> finally
>> {
>> de.Close();
>> i.UndoImpersonation();
>> }
>> }
>> </script>
>>
>> <body>
>> <form runat="server">
>> UserName: <asp:textbox id="txtUsername" runat="server"/><br>
>> New Password: <asp:textbox id="txtPassword" runat="server"/><br>
>> <asp:button id="btnReset" runat="server" Text="Reset"
>> OnClick="ResetPassword" /><br>
>> <asp:label id="lblMessage" runat="server"/><br><br>
>> I am running as: <%=Context.User.Identity.Name %><br>
>> My process is running as:
>> <%=System.Security.Principal.WindowsIdentity.GetCurrent().Name %>
>> </form>
>> </body>
>> </HTML>
>>
>>
>> web.config:
>>
>> <?xml version="1.0" encoding="utf-8" ?>
>> <configuration>
>> <system.web>
>> <compilation debug="true"/>
>> <authentication mode="Windows" />
>> <!--<authorization>
>> <deny users="?" />
>> </authorization>-->
>> </system.web>
>>
>> <!-- Secure the .aspx page using web.config
>> <location path="reset.aspx">
>> <system.web>
>> <authorization>
>> <allow roles="DOMAIN\AdminUser" />
>> <deny users="*" />
>> </authorization>
>> </system.web>
>> </location> -->
>> </configuration>
>>
>> processModel section of machine.config:
>> <processModel
>> enable="true"
>> timeout="Infinite"
>> idleTimeout="Infinite"
>> shutdownTimeout="0:00:05"
>> requestLimit="Infinite"
>> requestQueueLimit="5000"
>> restartQueueLimit="10"
>> memoryLimit="60"
>> webGarden="false"
>> cpuMask="0xffffffff"
>> userName="domain\adminuser"
>> password="adminpwd"
>> logLevel="Errors"
>> clientConnectedCheck="0:00:05"
>> comAuthenticationLevel="Connect"
>> comImpersonationLevel="Impersonate"
>> responseDeadlockInterval="00:03:00"
>> maxWorkerThreads="20"
>> maxIoThreads="20"
>> />
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
>> wrote in message news:e%235SZFnBGHA.1864@xxxxxxxxxxxxxxxxxxxxxxx
>>> The crux of doing this in a web page is simply to create a
>>> DirectoryEntry object that is bound to the user's object in AD and
>>> invoking the ChangePassword ADSI method. Impersonation may or may not
>>> be needed as you need to prompt for the old password anyway, so it
>>> doesn't really hurt to simply use those credentials in your
>>> DirectoryEntry constructor.
>>>
>>> The error you are getting sounds like it is unrelated to an
>>> DirectoryServices programming stuff though. Are you sure ASP.NET is
>>> working in general?
>>>
>>> Note also that Ryan and I have book coming out that covers this stuff in
>>> detail, but it won't be available for a few more months now.
>>>
>>> Posting an example of the code you are using would be a great start.
>>>
>>> Joe K.
>>>
>>> "Harry Devine" <hdevine@xxxxxxxxxxxxxxxx> wrote in message
>>> news:%23FysvCmBGHA.1008@xxxxxxxxxxxxxxxxxxxxxxx
>>>> I've been searching around for an answer to this question, but haven't
>>>> gotten too far. I'm fairly new to ASP.NET, so I'm not sure how to
>>>> setup machine.config and web.config properly.
>>>>
>>>> What I want to be able to do is allow a domain user to change their
>>>> password in the AD via a webpage. We have several users with domain
>>>> accounts, but they do not actually login to our domain as they are
>>>> spread out all over the country. I have a VBS script that notifies
>>>> them when their password is due to expire, starting 10 days out.
>>>>
>>>> Since these users are not local to where my domain controller resides,
>>>> they have to call me or email me to have their password reset. I found
>>>> an example written by Ryan Dunn using an Impersonate function that he
>>>> wrote (www.dunnry.com), but I keep getting an error stating: "Parser
>>>> Error Message: The XML file
>>>> c:\winnt\microsoft.net\framework\v1.1.4322\Config\machine.config could
>>>> not be loaded. Either a required impersonation level was not provided,
>>>> or the provided impersonation level is invalid. "
>>>>
>>>> This seems like, to me, a fundamental type of function to do, but info
>>>> on how to do it is all over the place. Does anyone have any good ideas
>>>> or steps on how to accomplish this?
>>>>
>>>> Thanks for any help,
>>>> Harry
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Why does my asp.net application now get "Server Application Unavailable"
    ... Server Application Unavailable ... This error can be caused when the worker process account has ... ..NET Framework is correctly installed and that the ACLs on the installation ... supplied in the processModel section of the config file are invalid. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Impersonate User asp.net
    ... I've changed the processModel in the machine.config file to the user ... I'm trying to impersonate. ... different domain, to the web server. ... >> my web.config file and I output the anonymous account that it is being ...
    (microsoft.public.dotnet.security)
  • Re: aspnet user cannot access remote files
    ... you can't use the <impersonation> setting that specifies ... Switching to SYSTEM in your processModel may also get rid of the requirement ... server should be able to trust the web server's computer account. ... able to impersonate the logged-on user and get to the file server. ...
    (microsoft.public.dotnet.security)
  • Re: Changing domain user password
    ... editing the processModel section. ... If you have changed the process model account, there is no reason to also ... > DirectoryEntry de = new DirectoryEntry; ... Impersonation may or may not be needed as ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Server Application Unavailable
    ... password supplied in the processModel section of the config file ... directory allow access to the configured account. ... You can find the application pool in the properties of the website and/or virtual directory that contains the site you're trying to get to run. ... Read/write rights in the ASP.NET Temporary Files under the framework directory ...
    (microsoft.public.dotnet.framework.aspnet)