Re: IISADMPWD solution for AD expired password ?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 12 Dec 2007 09:48:20 -0600
Interactive logon works differently than remote auth via LDAP. Interactive
logon will allow you to change passwords during the logon process and such.
You can't do that with LDAP. It either works or it doesn't.
Normally, organizations implement some sort of self-service password reset
capability for users whose passwords are expired or users who have forgotten
their passwords. You are often challenged with verification questions,
although the better companies will use two factor auth like smart card to
allow this operation.
There are a variety of products out there that provide self-service pwd
reset capabilities.
The code sample you found shows how to do LDAP pwd change using the LDAP API
and C. This is doable, but it probably the most difficult approach to use
programmatically. You might want to consider .NET if you want to implement
this in a web page. Ch 10 of my book has samples which you can download
from my site.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.63e57d7cdf69a1f1.70874@xxxxxxxxxxxxxxxxxxxxx
Hi Joe,
your answer is again really interesting, thank you !
I have found a sample code here : http://support.microsoft.com/kb/269190
But, you said that users must have the right to authenticate with an
expired password.
Do you see a security issue about this right ?
(Indeed, a user with an expired password cannot authenticate anymore but a
warning message told him to change his password, right ? So finally I
don't see a security risk by using this right but perhaps I am wrong :))
Thank you Joe
You can use LDAP to change passwords. The code would depend on the
programming language you want to write this in. There are many options.
Note that you still can't use this to get around the issue with expired
passwords unless the user can authenticate with an expired password.
LDAP password changes require encryption, so be aware of that. It is
possible to use either Windows built in encryption with SPNEGO auth (on
2003 or higher DCs and XP or higher clients) or use SSL. However, ADSI
will only use SSL, so if you want to use an ADSI-based solution, you'll
need SSL on your DCs.
If you are a .NET programmer, we cover this in gory detail in ch 10 of
our book (see link in my signature).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.5aca7d7c5c4c9577.70874@xxxxxxxxxxxxxxxxxxxxx
Nobody ? :)
Third question so ! :D
3. Another solution could be to change the password through LDAP v3
request no ? (from the Web server to a specific DC)
If you confirm that it is possible, do you have a sample code for this
kinf of solution please ?
Thank you
Hi Svyatoslav ,
thank you for your answer
1. About this, could you tell me which policy allow logging on with
expired passwords please ?
2. I will try if nobody can't give me the information before :D
Someone has feedbacks about the IIS reset passwords solution ?
Thank you
1. You can set policy to allow logging on with expired passwords to
change the password; otherwise indeed you need anonymous access.
2. Interesting question. I'm sure kpassword is not used, which leaves
us with RPC - maybe encrypted in SMB. Capture traffic when changing
password on your worksation to fing out - IIS will be same. And as
secure.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.3bde7d7c47bb89f8.70874@xxxxxxxxxxxxxxxxxxxxx
Hi,
we would like to be able to let users modifying their password
through IIS (for example).
Indeed, those users are connecting to a IIS server (in US) from
another country (Italy) but with credentials stored on a local DC (DC
in US so).
Every user has an account on the DC in US but the security policy
states that the password has a maximum lifetime of 90 days.
The idea is to let them reseting their password through IIS (and
IISADMPWD so).
I have two questions :
1. What's happened if they didn't change their passwords before it
expired ? (Do I need to let the IISADMPWD with anonymous access so ?)
2. What protocol is used when the password is modified from the IIS
to the DC ? (of course I will use HTTPS from the client to the IIS).
Thank you
-- Pascal
-- Pascal
--
Pascal
.
- Follow-Ups:
- Re: IISADMPWD solution for AD expired password ?
- From: Pascal
- Re: IISADMPWD solution for AD expired password ?
- References:
- IISADMPWD solution for AD expired password ?
- From: Pascal
- Re: IISADMPWD solution for AD expired password ?
- From: Pascal
- Re: IISADMPWD solution for AD expired password ?
- From: Pascal
- Re: IISADMPWD solution for AD expired password ?
- From: Joe Kaplan
- Re: IISADMPWD solution for AD expired password ?
- From: Pascal
- IISADMPWD solution for AD expired password ?
- Prev by Date: Re: Create certificate with makecert for LDAPS on a DC ?
- Next by Date: Re: Network drives show disconnected, sometimes, but still work?
- Previous by thread: Re: IISADMPWD solution for AD expired password ?
- Next by thread: Re: IISADMPWD solution for AD expired password ?
- Index(es):
Relevant Pages
|
|
