<

Free/Open-Source Self-Service Password Reset tool for Active Directory

Published on
11,987 Points
4,487 Views
5 Endorsements
Last Modified:
Approved
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...


Pre-requisites: The following assumptions have been made in this tutorial. Readers should have a basic working knowledge of Microsoft Active Directory, SQL Server and Visual Studio software.



Step 1:  Create ACTIVE DIRECTORY SERVICE ACCOUNT


Create an Active directory service account with password reset rights.

Details for this process and a custom Delegwiz.inf can be found in my previous article here



Step 2:  Download Visual Studio Project


1) Download the provided source zip file by clicking this link  (See below)



2) Extract and open the project in Visual Studio


 

Step 3:  Create database


Note: The basic steps for creating the database are listed below. Explaining MS SQL functionality is beyond the scope of this article, but I am happy to answer any questions in the comments section below.


1) From the Open Project in Visual Studio, open ModelSSPR.edmx

2) Right-click on white-space on the diagram page

3) Then select Generate Database from Model as shown below



4) Save the SQL script and use it on Microsoft SQL Server to build the database schema



5) Create an MS SQL user and grant it DB owner rights



step 4:  Modify config file


1) From the open project in Visual Studio

2) Replace the ADConnectionString connection string with the Active Directory LDAP string for the domain used in the Create Active Directory Service Account (Step 1)

3) Replace the SSPREntities connection string with the connection string of the database used in the Create Database (Step 3)






4) Configure ADMembershipProvider to the account created in the Create Active Directory Service Account (Step 1)



5) Replace the appSettings values with the correct information for the domain and account used in the Create Active Directory Service Account (Step 1)





Step 5:  Publish Site

Please Note: Explaining Visual Studio publishing is beyond the scope of this article, but I am happy to answer any questions in the comments section below.


1) From the open project in Visual Studio

2) Publish site with the Visual Studio Publishing wizard




step 6:  Testing Site


Registering password hints


1) Browse to site published in Publish Site (Step 5)

2) Click on Log in



3) Specify the Username and Password for the account to register for self-service password reset.


Note: Username must be in UPN format



4) Create password hints by adding questions and answers


Note: At least four hints need to be specified to utilize the self-service password reset function.




Self-Service Password Reset Request


1) Browse to the site published in the Publish Site (Step 5)


2) Click on Reset Password




3) Enter the Username for the account to reset the password for as shown below


Note: Username must be in UPN format



4) Enter answers to the security questions and provide new password


Note: Three random questions will be selected out of the hints configured


5) Click Reset Password



6) If the password was successfully reset, the following screen will display



I hope you found this tutorial useful. You are encouraged to ask questions, report any bugs or make any other comments about it below.


Note: If you need further "Support" about this topic, please consider using the Ask a Question feature of Experts Exchange. I monitor questions asked and would be pleased to provide any additional support required in questions asked in this manner, along with other EE experts...


Please do not forget to press the "Thumb's Up" button if you think this article was helpful and valuable for EE members.


It also provides me with positive feedback. Thank you!

5
Comment
  • 19
  • 8
  • 3
  • +9
41 Comments
LVL 7

Expert Comment

by:Naveen Sharma
Lepide Active Directory Self Service tool, free for 50 users:
https://www.lepide.com/active-directory-self-service/
0
LVL 60

Expert Comment

by:McKnife
@Naveen: What makes your payware better than this freeware?
0

Expert Comment

by:John Trussell
Hey Shaun,
I am extremely interested in getting this password reset tool setup for the school district I work for which supports about 2k users. I have a basic knowledge of ADUC and SQL but MS VS not so much. Is there any way I could get a more in depth step by step using these technologies. It would save the school district a lot of money and ease frustration across the board. Is Visual Studio free? Can you use SQL express? Basically, we are looking for a totally free solution. We have one AD domain that we support. Thanks!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

LVL 44

Author Comment

by:Shaun Vermaak
Hi John

Thank you for the feedback

Is there any way I could get a more in-depth step by step using these technologies.
Happy to extend the article, let me know which steps

It would save the school district a lot of money and ease frustration across the board. Is Visual Studio free?
There is a community edition. If you struggle, I can add a compiled version which you would not need Visual Studio

Can you use SQL express?
Yes, the database is very small
0

Expert Comment

by:John Trussell
Shaun, I appreciate you working with me on this! I have downloaded the community version of VS and SQL express as those are both no charge. I also downloaded the source file from your link. I am have trouble locating the ModelSSPR.edmx to open with VS? Any point in the right direction is appreciated. A compiled version would be nice. Thanks again!
0
LVL 44

Author Comment

by:Shaun Vermaak
Here is the DDL. Run it in SQL after creating the database
-- --------------------------------------------------
-- Entity Designer DDL Script for SQL Server 2005, 2008, 2012 and Azure
-- --------------------------------------------------
-- Date Created: 02/13/2018 16:46:54
-- --------------------------------------------------

SET QUOTED_IDENTIFIER OFF;
GO
IF SCHEMA_ID(N'dbo') IS NULL EXECUTE(N'CREATE SCHEMA [dbo]');
GO

-- --------------------------------------------------
-- Dropping existing FOREIGN KEY constraints
-- --------------------------------------------------


-- --------------------------------------------------
-- Dropping existing tables
-- --------------------------------------------------

IF OBJECT_ID(N'[dbo].[Hints]', 'U') IS NOT NULL
    DROP TABLE [dbo].[Hints];
GO
IF OBJECT_ID(N'[dbo].[Questions]', 'U') IS NOT NULL
    DROP TABLE [dbo].[Questions];
GO

-- --------------------------------------------------
-- Creating all tables
-- --------------------------------------------------

-- Creating table 'Hints'
CREATE TABLE [dbo].[Hints] (
    [ID] int IDENTITY(1,1) NOT NULL,
    [UserName] varchar(50)  NOT NULL,
    [Question] varchar(max)  NOT NULL,
    [Answer] varchar(max)  NOT NULL
);
GO

-- Creating table 'Questions'
CREATE TABLE [dbo].[Questions] (
    [ID] int IDENTITY(1,1) NOT NULL,
    [Value] varchar(max)  NOT NULL
);
GO

-- --------------------------------------------------
-- Creating all PRIMARY KEY constraints
-- --------------------------------------------------

-- Creating primary key on [ID] in table 'Hints'
ALTER TABLE [dbo].[Hints]
ADD CONSTRAINT [PK_Hints]
    PRIMARY KEY CLUSTERED ([ID] ASC);
GO

-- Creating primary key on [ID] in table 'Questions'
ALTER TABLE [dbo].[Questions]
ADD CONSTRAINT [PK_Questions]
    PRIMARY KEY CLUSTERED ([ID] ASC);
GO

-- --------------------------------------------------
-- Creating all FOREIGN KEY constraints
-- --------------------------------------------------

-- --------------------------------------------------
-- Script has ended
-- --------------------------------------------------

Open in new window

0

Expert Comment

by:John Trussell
Thanks. Where is the "ModelSSPR.edmx" ? I cannot find it to open in VS in order to create a DB.
0
LVL 44

Author Comment

by:Shaun Vermaak
You can skip that step and use the DDL above
0

Expert Comment

by:Varun Singh
Hi Shaun

Thanks for creating above program as its really great.

I tried to configure and implement same in my Scenario. But i stuck in middle may be i miss something or configure incorrectly.

So, i required your help to get this sorted. Below is the Error that i am getting while implementing.Please look into this and give your comments.

Server Error in '/' Application.
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: The specified connection string does not represent a valid LDAP adspath.

Source Error:


Line 43:       <providers>
Line 44:         <clear />
Line 45:         <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="userPrincipalName" connectionUsername="testuuser" connectionPassword="@XXXXXXX" />
Line 46:         <!--<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="userPrincipalName" />-->
Line 47:       </providers>

Source File: C:\svermaak-self_service_password_reset-2edf4379b0e5\web.config    Line: 45

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.2558.0


Thanks in Advance.
0
LVL 44

Author Comment

by:Shaun Vermaak
Please send me the web.config
0

Expert Comment

by:Varun Singh
Hi Shaun

Send to you in mail (shaun.vermaak@ittelligence.com)

Please check and let me know if you required any other details.
0

Expert Comment

by:Burlen Baker
Hi Shaun,
       It appears that that the following files are missing:

   <Compile Include="App_Start\AuthConfig.cs" />
    <Compile Include="App_Start\BundleConfig.cs" />
    <Compile Include="App_Start\FilterConfig.cs" />
    <Compile Include="App_Start\RouteConfig.cs" />
    <Compile Include="App_Start\WebApiConfig.cs" />
    <Compile Include="classEncryption64.cs" />
    <Compile Include="Controllers\AccountController.cs" />
    <Compile Include="Controllers\HintsController.cs" />
    <Compile Include="Controllers\HomeController.cs" />
    <Compile Include="Controllers\PasswordRequestsController.cs" />
    <Compile Include="Controllers\QuestionsController.cs" />
    <Compile Include="Filters\InitializeSimpleMembershipAttribute.cs" />
    <Compile Include="Global.asax.cs">

Can they be found outside the repository?
0
LVL 44

Author Comment

by:Shaun Vermaak
Please check again
0

Expert Comment

by:Steve Marchand
Hi Shaun,

First I'd just like to say thank you for sharing this!!

I am currently wrapping up the setup for the SSPR and I am just trying to do some basic testing while I am configuring an IIS server to host the website. I can right-click on the Project name "Self_Service_Password_Reset" and view the page in a browser. The page comes up in my default browser as localhost:56476 which is great!

I did notice that when I try to login to the page I am confronted with an error (see below) but if I click the back button it shows that I am logged in:

The system cannot find the file specified
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The system cannot find the file specified

Source Error:


Line 24:             string userName = Helpers.EncryptData(User.Identity.Name.Trim().ToUpper());
Line 25:
Line 26:             List<Hint> hints = db.Hints.Where(h => h.UserName == userName).ToList();
Line 27:             foreach (Hint hint in hints)
Line 28:             {

Source File: D:\Self Service Password Reset\Controllers\HintsController.cs    Line: 26


The only other issue I am having is that if I test resetting a password I get a similar error (see below):

The system cannot find the file specified
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ComponentModel.Win32Exception: The system cannot find the file specified

Source Error:


Line 41:             string encryptedUserName = Helpers.EncryptData(userName.Trim().ToUpper());
Line 42:
Line 43:             hints = db.Hints.Where(u => u.UserName == encryptedUserName).ToList();
Line 44:
Line 45:             if (hints.Count() < 4)

Source File: D:\Self Service Password Reset\Controllers\PasswordRequestsController.cs    Line: 43

Do i need to save the project files in a different directory or will this issue fix itself when the site is published?

Thanks again!!
0
LVL 44

Author Comment

by:Shaun Vermaak
Do those two files exist?
1

Expert Comment

by:Steve Marchand
Yes, I can find them in the directory listed in the error and they also show up in visual studio.
Capture1.PNG
Capture2.PNG
0
LVL 44

Author Comment

by:Shaun Vermaak
Is SQL setup with the database? Is it specified in the web.config?
1

Expert Comment

by:Steve Marchand
I installed SQL Express, created a new Database called "SSPR" gave it mixed-mode authentication for the SQL sa account, my domain admin account, and the service account I created to use for LDAP.

In Visual Studio I added the LDAP connection string to line 18 of the web.config file. On line 19 of the web.config file the only thing I did was add the username and password under
user id=;password=;

Open in new window

. I wasn't sure if there was anything else on line 19 of the web.config file I should have changed but I think I am missing something that would tell web.config where to find the SQL Database.
0
LVL 44

Author Comment

by:Shaun Vermaak
See connection string for Express here
https://www.connectionstrings.com/sql-server/

also, did you run the SQL commands to create the tables etc.?
1

Expert Comment

by:Steve Marchand
I did the "Generate Database from Model" in Visual Studio as your directions say to do then opened the modelSSPR.edmx.sql file in SQL and Executed it. SQL said it was successful and I refreshed the database and say tables were created.

Forgive me - the only experience I have with Visual Studio or any type of programming is from one intro course in college where we made simple stuff like "Hello World"

Looking at the link you sent - it looks like I would be using this string for .Net 4.5
Server=myServerName\myInstanceName;Database=myDataBase;User Id=myUsername;
Password=myPassword;

Open in new window


Currently this is what line 19 looks like for me (I just hide the user and password for sharing purposes):
<add name="SSPREntities" connectionString="metadata=res://*/ModelSSPR.csdl|res://*/ModelSSPR.ssdl|res://*/ModelSSPR.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=;initial catalog=;persist security info=True;user id=******;password=*****;MultipleActiveResultSets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />

Open in new window


Where would I add in the proper SQL Express connection string within line 19?

Thank you for all of your help!
0
LVL 44

Author Comment

by:Shaun Vermaak
Here
connection string=&quot;data source=;initial catalog=;persist security info=True;user id=******;password=*****;MultipleActiveResultSets=True;App=EntityFramework&quot;"
1

Expert Comment

by:Steve Marchand
Oh okay - now I see where I completely over looked data source being the server name and catalog being the database name.

Thank you, Shaun!
0

Expert Comment

by:Steve Marchand
Hey Shaun,

So IIS has been a bear for a couple of days now and I am not sure what I am doing wrong. Leaving the web.config.xml as you wrote it from line 62-71 IIS gives me error 500.19 (see attached image) I cannot find anything in the web.config setting
overrideModeDefault="Deny"

Open in new window

overrideMode="Deny"

Open in new window

or
allowOverride="false"

Open in new window


I did find an "applicationhost.config file under C:\Users\%USERNAME%\Documents\IISExpress\Config\applicationhost.cong that did have the following code on line 69
<section name="handlers" overrideModeDefault="Deny" />

Open in new window


I changed it to

<section name="handlers" overrideModeDefault="Allow" />

Open in new window


Then IIS gave me an error on line 67 of the web.config file wanting a path

<add name="ExtensionlessUrlHandler-Integrated-4.0" />

Open in new window

 

so I changed it to a few variations with no luck

<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

Open in new window


<add name="ExtensionlessUrlHandler-Integrated-4.0" path="/" verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

Open in new window


<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*.xml" verb="PUT" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

Open in new window


<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="PUT" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

Open in new window


<add name="ExtensionlessUrlHandler-Integrated-4.0" path="/" verb="PUT" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

Open in new window


I am not sure what else to try.... any ideas?
HTTP-Error-500.19.PNG
Handler-Mappings.PNG
applicationhost.config
0
LVL 19

Expert Comment

by:Andrew Leniart
@Steve Marchand

Considered using the Ask a Question function of Experts Exchange? You might get some helpful replies from other experts there as well and it might even help the author out even more.

Just a suggestion.

Regards, Andrew
0
LVL 44

Author Comment

by:Shaun Vermaak
Hi Steve

Can you please publish and test from within IIS and not IISExpress?
0

Expert Comment

by:Steve Marchand
HI Shaun,

Sorry for the confusion - These errors are coming from IIS and not IIS Express, I was just unclear if the applicationhost.config file from IIS Express was causing any issues because that is where I found the strings matching the errors. Yet when I run the site in IIS Express from Visual Studio it works perfectly.

Here is my setup:
I have a new vm that I spun up running Windows Server 2016 Standard and installed the IIS role with default features. Once everything was installed I rebooted the server opened IIS Manager, stopped the "Default Web Site" so I could utilize http port 80 and created a new site called "Self-Service Password Reset with a binding to http:*:80:. Then I browsed to C:\inetpub\wwwroot\ and created a new folder called "SSPR Site". Before publishing to that site, I modified the NTFS permissions on the folder C:\inetpub\wwwroot\SSPR Site to allow full control for principal "IIS APPPOOL\SSPR Site". Once that was done I opened Visual Studio, right-clicked on Self_service_Password_Reset at the top of the Solution Explorer and clicked Publish. I created a new profile with a publish method of File System to target location C:\inetpub\wwwroot\SSPR Site, configuration: Release, and File Publish Options to "Delete all existing files prior to publish" and clicked publish. The output in Visual Studio shows me that the web app was published successfully "file:///C:/inetpub/wwwroot/SSPR%Site" with no errors.

From there I go back to IIS Manager select the Self-Service Password Reset site and click Browse Website, That is when I see errors. Also get errors when I try to look at the Handler Mappings in IIS.
Directory-of-Site.PNG
IIS-10.0-Detailed-Error.PNG
IIS-Manager-Handler-Mappings-Error.PNG
IIS-Manager.PNG
0
LVL 44

Author Comment

by:Shaun Vermaak
What is line 64 of your web.config?
0
LVL 44

Author Comment

by:Shaun Vermaak
Sorry, I see in image
0
LVL 44

Author Comment

by:Shaun Vermaak
I have a new vm that I spun up running Windows Server 2016 Standard and installed the IIS role with default features.
I think this is your issue. You need to add .NET
0
LVL 19

Expert Comment

by:Andrew Leniart
@Steve

Why not "Ask a Question" for help with this issue?
1

Expert Comment

by:Steve Marchand
Hi Shaun,

.Net Framework 4.6 is installed as a feature with IIS but I do see that ASP .Net 4.6 is not installed so I will add that and try again as this is an ASP .NET site.

Line 64 shows as blank but this is line 62-71
<system.webServer>
  <validation validateIntegratedModeConfiguration="false" />


<handlers>
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="Syetem.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersion4.0" responseBufferLimit="0" />
  <remove name="OPTIONSVerbHandler" />
  <remove name="TRACEVerbHandler" />
  <!--<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="Syetem.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersion4.0" />-->
</handlers></system.webServer>

Open in new window

0

Expert Comment

by:Chris Poore
I am having an issue trying to logon with a AD account.  I receive the following error on our webserver

Event code: 4006
Event message: Membership credential verification failed.
Event time: 23/05/2018 2:36:49 PM
Event time (UTC): 23/05/2018 5:06:49 AM
Event ID: ca0763162b734ed1a6d64d578ab71e91
Event sequence: 2
Event occurrence: 1
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/8/ROOT-3-131715256087374523
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\Websites\Selfservice\
    Machine name: WEBSERVER
 
Process information:
    Process ID: 2900
    Process name: w3wp.exe
    Account name: IIS APPPOOL\selfservice
 
Request information:
    Request URL: https://selfservice.****.sa.edu.au:443/Account/Login 
    Request path: /Account/Login
    User host address: 10.124.XX.XX
    User:  
    Is authenticated: False
    Authentication Type:  
    Thread account name: IIS APPPOOL\selfservice
 
Name to authenticate: temp1@domain.local
1

Expert Comment

by:Shivaram Venkatesh
Hi, this is an excellent solution. However I keep getting an error "This solution references Nuget Packages which are not installed". I installed all the Nuget packages, but I am not able to build the solution. Please help. I am using VS Community 2017.
0
LVL 44

Author Comment

by:Shaun Vermaak
I wonder is it might be because of VS Community edition... I will add/post a published version if that will help?
1
LVL 44

Author Comment

by:Shaun Vermaak
0

Expert Comment

by:Thiago Moraes
I need unlock the account too. Password is changing but the account is locked.
0
LVL 44

Author Comment

by:Shaun Vermaak
I will add that. Will let you know
0
LVL 44

Author Comment

by:Shaun Vermaak
Added account unload to the process
0
LVL 44

Author Comment

by:Shaun Vermaak
I changed the repo to include the solution file too, not just the project
0

Expert Comment

by:Carter Sema
Interested in trying this out. Any idea if it's possible to use 636 with a Secure LDAP Cert?
0
LVL 44

Author Comment

by:Shaun Vermaak
You can change the web.config to use secure LDAP.

You need a certificate for the website too so it is SSL
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Join & Write a Comment

This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month