Re: IISADMPWD solution for AD expired password ?

Hi Joe,

your answer is again really interesting, thank you !

I have found a sample code here : http://support.microsoft.com/kb/269190

But, you said that users must have the right to authenticate with an expired password.
Do you see a security issue about this right ?

(Indeed, a user with an expired password cannot authenticate anymore but a warning message told him to change his password, right ? So finally I don't see a security risk by using this right but perhaps I am wrong :))

Thank you Joe


You can use LDAP to change passwords. The code would depend on the programming language you want to write this in. There are many options.

Note that you still can't use this to get around the issue with expired passwords unless the user can authenticate with an expired password.

LDAP password changes require encryption, so be aware of that. It is possible to use either Windows built in encryption with SPNEGO auth (on 2003 or higher DCs and XP or higher clients) or use SSL. However, ADSI will only use SSL, so if you want to use an ADSI-based solution, you'll need SSL on your DCs.

If you are a .NET programmer, we cover this in gory detail in ch 10 of our book (see link in my signature).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.5aca7d7c5c4c9577.70874@xxxxxxxxxxxxxxxxxxxxx
Nobody ? :)

Third question so ! :D

3. Another solution could be to change the password through LDAP v3 request no ? (from the Web server to a specific DC)
If you confirm that it is possible, do you have a sample code for this kinf of solution please ?

Thank you


Hi Svyatoslav ,

thank you for your answer

1. About this, could you tell me which policy allow logging on with expired passwords please ?
2. I will try if nobody can't give me the information before :D

Someone has feedbacks about the IIS reset passwords solution ?

Thank you

1. You can set policy to allow logging on with expired passwords to change the password; otherwise indeed you need anonymous access.
2. Interesting question. I'm sure kpassword is not used, which leaves us with RPC - maybe encrypted in SMB. Capture traffic when changing password on your worksation to fing out - IIS will be same. And as secure.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.3bde7d7c47bb89f8.70874@xxxxxxxxxxxxxxxxxxxxx
Hi,

we would like to be able to let users modifying their password through IIS (for example).

Indeed, those users are connecting to a IIS server (in US) from another country (Italy) but with credentials stored on a local DC (DC in US so).

Every user has an account on the DC in US but the security policy states that the password has a maximum lifetime of 90 days.

The idea is to let them reseting their password through IIS (and IISADMPWD so).

I have two questions :

1. What's happened if they didn't change their passwords before it expired ? (Do I need to let the IISADMPWD with anonymous access so ?)
2. What protocol is used when the password is modified from the IIS to the DC ? (of course I will use HTTPS from the client to the IIS).

Thank you

-- Pascal



-- Pascal



--
Pascal


.

Relevant Pages

  • Re: IISADMPWD solution for AD expired password ?
    ... International users have accounts in our AD BUT they never open a session in this domain. ... the users will have to connect to a IIS Website with iisadmpwd installed.. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... you said that users must have the right to authenticate with an expired password. ...
    (microsoft.public.windows.server.security)
  • Re: IISADMPWD solution for AD expired password ?
    ... Interactive logon works differently than remote auth via LDAP. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... a user with an expired password cannot authenticate anymore but a ... Someone has feedbacks about the IIS reset passwords solution? ...
    (microsoft.public.windows.server.security)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to secure IIS?
    ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
    (microsoft.public.inetserver.iis.security)