Re: IISADMPWD solution for AD expired password ?

You will need an alternate auth method for your self-service pwd reset if
you need self-service pwd reset. You would likely need this because you
want to allow users to reset their pwd after it expires or if they forget
it. Self-service here prevents a help desk call and saves money.

If you can change your policy to allow users to log on with expired
passwords, then you don't need this solution for the first reason. You
might still want it for the second reason though. Also, I'm not sure how to
actually allow users to log in with expired passwords. I'm guessing that
this is possible since one of the other MVPs mentioned it, but I'm not
familiar with that setting. It is also a question as to whether you want to
allow that to happen, even if it is a valid option.

You don't necessarily need 2 factor auth for self service pwd reset. You
just need an alternate way to authenticate your users. 2 factor is usually
better since it is considered stronger than password alone. The normal
approach is to use challenge/response questions. However, most security
professionals consider those to be weaker than passwords, so there is a
question as to whether you want to make allow your self-service pwd reset
app use a weaker auth mechanism.

My experience is that most orgs don't have 2 factor auth and would rather
save the money on help desk calls for password resets, so they make the
sacrifice on security. It is a little sad, but not surprising. The risk
associated with the weaker security is hard to quantify whereas help desk
calls are generally quite easy.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.731a7d7c46078493.70874@xxxxxxxxxxxxxxxxxxxxx
Thank you.

I am glad to hear that I am using the right method for my needs.

I have found a sample code on an msdn blog about the queries to find
expiring passwords (but I will not forget to see what your book proposes
too :))

If I have understood well what you said, it is not possible for a user to
change his password if it expired ? (cause you said you develop a two
factor auth for that need).

What I don't really like in "my" solution is that users will connect to
the IISADMPWD on a DMZ zone. So I will need to allow network access from
the IIS server in the DMZ to a DC in our LAN :-(

Thank you Joe :)

We do something very similar internally for users that are not domain
joined and don't get the standard password expiration notification. We
send out an email and direct them to a website that allows pwd change.
We use custom functionality instead of IISADMPWD, but the basics are
similar.

This is for password change though, not for self service password reset.
Those are different use cases. If the user needs a password reset due to
expiration or simply a forgotten pwd, then we send them to a different
site. This site authenticates them using either two factor auth (SecurID
token) or via challenge/response questions and then uses a privileged
service account to perform the password reset like an administrator
would.

We find we need both solutions.

There is also a sample in ch 10 of my book that shows some examples of
executing queries to find expiring passwords in certain date ranges.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.6bbe7d7c88194d34.70874@xxxxxxxxxxxxxxxxxxxxx
Thank you Joe for those informations.
I will really appreciate if you can give me your point of vue about this
situation (and if you can confirm that I have "the right solution").

We have an Active Directory domain with a web server hosting a web
application used by internal users and Internation users. Those
International users are connecting from various locations (no ADFS
possible).

International users have accounts in our AD BUT they never open a
session in this domain.(They are just using this login/password for
accessing some ressource in our Active Directory)
Actually, we have to define a "Password never expires" option on each
internation users accounts because of the password policy in use in our
domain.

We want to find a way to let International users to reset their
passwords every 90 days remotely.

For that, we want to send them an email 1 week before the expiration
date of the password.
Then, the users will have to connect to a IIS Website with iisadmpwd
installed.(through HTTPS and a commercial certificate).
They will then be able to change their passwords.

Do you think it is a good method ?

Thank you again for sharing your knowledge Joe :)

Regards


-- Pascal



--
Pascal




.