Re: Best Way to Change Password via the Web?
From: Chris Adams \(IIS\) (chrisad-msft_at_microsoft.com)
Date: 12/26/03
- Previous message: Steven L Umbach: "Re: Password protect a folder"
- In reply to: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Next in thread: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Reply: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Reply: Paul Lynch: "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Dec 2003 17:10:14 -0800
Hey ~
We recently released hotfixes for this functionality. If you have trouble
locating them, please post back. It is important that you download this
hotfix and install it.
Sorry, it is Christmas, don't have access to find the KB's for the hotfix...
HTH,
~Chris
IIS Supportability Lead
"Rich Raffenetti" <raffenetti@attbi.com> wrote in message
news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
> Recently MS replaced the original .htr files with new versions.
>
> We use the standard MS system (.htr files) to do password changes. The
.htr
> files are just asp so we did some modifications on them as needed for our
> environment.
>
> I also wrote an asp page to allow admins of OU's with reset password
> permissions to do that from the web as well. The password admins have to
> login to that page with their credentials.
>
> I would steer away from a private authentication mechanism (your access
> database) to enable password changing. The MS mechanism works well and
> catches conditions. It allows a user to change an expired password as
long
> as the old password is known.
>
> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
> > We are a Microsoft shop here and we currently have two domains. Our
user
> > base is spread across our old NT 4.0 domain and some account are being
> > migrated to our new Windows 2003 AD domain. I am needing to allow our
> > remote users who use OWA and other web services here that require a NT
> login
> > the ability to change their passwords when they expire.
> >
> > My plan is to setup an HTTPS site and allow users to change their NT
> > password across the secured site. I plan on using the IISAdmPwd .htr
> files
> > to actually perform the password changes. I will restrict access to
this
> > site with a set of front page(s) that force users to perform an initial
> > login using their NT username and Employee ID that I have recorded in an
> > Access database. Users cannot bypass the initial login because I set a
> > session variable that is tracked on all pages within this site. If
users
> > try to go directly to the .htr files they are redirected back out to a
> > warning that they are not logged in and their access is monitored and
> logged
> > for future prosecution. Once they successfully login using the check
> > against my Access database they are forwarded on to the IISAdmPwd login
> > pages. I have it working in my test lab but have yet to implement it
for
> > production. I am wondering if there are any security issues with this
> > approach? I am also open to suggestions for better ways to do this
using
> my
> > setup or another way. I chose to use .htr files because I have used
them
> in
> > the past internally. I am also aware of the danger of being exploited
by
> > buffer overflows and other known exploits of the .htr files.
> >
> >
> > Thanks,
> > Fred Yarbrough
> >
> >
>
>
- Previous message: Steven L Umbach: "Re: Password protect a folder"
- In reply to: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Next in thread: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Reply: Rich Raffenetti: "Re: Best Way to Change Password via the Web?"
- Reply: Paul Lynch: "Re: Best Way to Change Password via the Web?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
