Re: Best Way to Change Password via the Web?

From: Fred Yarbrough (fyarbrou_at_yahoo.com)
Date: 12/26/03 

Date: Fri, 26 Dec 2003 13:18:04 -0600

Rich,
    Thanks for the feedback. You stated that I should steer away from the
private authentication mechanism. I agree to an extent. My intent is not
to develop something that is already there in the .htr functionality. My
reasoning for implementing this Access database front end authentication was
to keep just anyone from hitting the Password Changing site. It basically
acts as a filter to prevent just any ole Internet user from playing with our
Password changing site. Since all of our employees know their username and
employee ID, it simply adds an additional hoop that the bad guys would have
to jump through to exploit the system.

    Also, I have noticed that pages that currently work on my Windows 2000
server IIS 5.0 do not work with my Windows 2003 server IIS 6.0. When I
submit the aexp.htr file I get the following message:

____________________________________________________________________________
________________
      Internet Service Manager
      for Internet Information Server 6.0

Your password has expired.

A secure channel ( SSL or PCT ) is necessary in order to change a password.

SSL/PCT is not installed/enabled on your system, please install it to enable
this functionality.

Access default document or select another document.

____________________________________________________________________________
_______________

I am running and requiring SSL on all of the sites pages. I don't
understand why this message comes up. From looking at the aexp.htr source
code it appears that the variable HTTP_CFG_ENC_CAPS is not set to one.
Where is the variable in the registry and/or is this the problem that I am
running into?

____________________________________________________________________________
_______________
<snip>
'W3CRYPTCAPABLE corresponds to HTTP_CFG_ENC_CAPS.
'Tells us that the server if SecureBindings are set
if Request.ServerVariables("HTTP_CFG_ENC_CAPS") <> 1 then%>
 <%=L_PasswordExpired_Text%>.<p>
 <%=L_SSL1_Text%>.<p>
 <%=L_SSL2_Text%>.<p>
 <a
href="http://<%=Server.HTMLEncode(Request.ServerVariables("Server_Name"))%>/
"><%=L_DefDoc_Text%></a> <%=L_OrOther_Text%>.
 <%Response.End%>
<%end if%>
<snip>
____________________________________________________________________________
_______________

Thanks,
Fred Yarbrough

"Rich Raffenetti" <raffenetti@attbi.com> wrote in message
news:eJPFOM3yDHA.1356@TK2MSFTNGP10.phx.gbl...
> Please post the numbers and source when you get a chance. Thanks.
>
> Also, is there a document describing this functionality?
>
> "Chris Adams (IIS)" <chrisad-msft@microsoft.com> wrote in message
> news:%23m7LG00yDHA.1736@TK2MSFTNGP09.phx.gbl...
> > Hey ~
> >
> > We recently released hotfixes for this functionality. If you have
trouble
> > locating them, please post back. It is important that you download this
> > hotfix and install it.
> >
> > Sorry, it is Christmas, don't have access to find the KB's for the
> hotfix...
> >
> > HTH,
> > ~Chris
> > IIS Supportability Lead
> >
> >
> > "Rich Raffenetti" <raffenetti@attbi.com> wrote in message
> > news:e$oWxIqyDHA.2064@TK2MSFTNGP10.phx.gbl...
> > > Recently MS replaced the original .htr files with new versions.
> > >
> > > We use the standard MS system (.htr files) to do password changes.
The
> > .htr
> > > files are just asp so we did some modifications on them as needed for
> our
> > > environment.
> > >
> > > I also wrote an asp page to allow admins of OU's with reset password
> > > permissions to do that from the web as well. The password admins have
> to
> > > login to that page with their credentials.
> > >
> > > I would steer away from a private authentication mechanism (your
access
> > > database) to enable password changing. The MS mechanism works well
and
> > > catches conditions. It allows a user to change an expired password as
> > long
> > > as the old password is known.
> > >
> > > "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> > > news:uIsFH$lyDHA.1364@TK2MSFTNGP10.phx.gbl...
> > > > We are a Microsoft shop here and we currently have two domains. Our
> > user
> > > > base is spread across our old NT 4.0 domain and some account are
being
> > > > migrated to our new Windows 2003 AD domain. I am needing to allow
our
> > > > remote users who use OWA and other web services here that require a
NT
> > > login
> > > > the ability to change their passwords when they expire.
> > > >
> > > > My plan is to setup an HTTPS site and allow users to change their NT
> > > > password across the secured site. I plan on using the IISAdmPwd
.htr
> > > files
> > > > to actually perform the password changes. I will restrict access to
> > this
> > > > site with a set of front page(s) that force users to perform an
> initial
> > > > login using their NT username and Employee ID that I have recorded
in
> an
> > > > Access database. Users cannot bypass the initial login because I
set
> a
> > > > session variable that is tracked on all pages within this site. If
> > users
> > > > try to go directly to the .htr files they are redirected back out to
a
> > > > warning that they are not logged in and their access is monitored
and
> > > logged
> > > > for future prosecution. Once they successfully login using the
check
> > > > against my Access database they are forwarded on to the IISAdmPwd
> login
> > > > pages. I have it working in my test lab but have yet to implement
it
> > for
> > > > production. I am wondering if there are any security issues with
this
> > > > approach? I am also open to suggestions for better ways to do this
> > using
> > > my
> > > > setup or another way. I chose to use .htr files because I have used
> > them
> > > in
> > > > the past internally. I am also aware of the danger of being
exploited
> > by
> > > > buffer overflows and other known exploits of the .htr files.
> > > >
> > > >
> > > > Thanks,
> > > > Fred Yarbrough
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Best Way to Change Password via the Web?
    ... private authentication mechanism. ... to develop something that is already there in the .htr functionality. ... to keep just anyone from hitting the Password Changing site. ... SSL/PCT is not installed/enabled on your system, ...
    (microsoft.public.windows.server.security)
  • Re: Best Way to Change Password via the Web?
    ... private authentication mechanism. ... to develop something that is already there in the .htr functionality. ... to keep just anyone from hitting the Password Changing site. ... SSL/PCT is not installed/enabled on your system, ...
    (microsoft.public.inetserver.iis.security)