Solved

howto: setup ability for users to change their passwords via IIS without using HTR scripts?

Posted on 2008-06-20
12
283 Views
Last Modified: 2013-12-05
Hello Experts,

I am working with an IIS 5.0 web server that has the capabilitiy of allowing our users to change their passwords. This current capability relies on htr scripts, which I have since learned are not very secure.

My question is, can someone point me to an alternative that will work on the win2k/iis5 platform?

Thanks in advance for any help.
0
Comment
Question by:MrBeebs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 21836518
There is no secure way to do this.  It's very high risk.  Web servers were built to run in a sandbox and prevent web users from direct access to the system or network.  You have to lower security for this functionality to work.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21837790
where are the passwords stored? database, active directory, file?

If you show the htr code it will be possible to do a secure password change but will need to use SSL
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 21838030
I don't know where the passwords are stored.  I assumed you were changing the passwords for Windows accounts which you CANNOT access.

SSL will only secure traffic between the server and the client.  It will NOT protect the server.

By default a web application has NO access to the network or host operating system.  In order to allow users to change Windows passwords you have to lower security and therefore expose the server to the risk of being penetrated.
0
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

 
LVL 7

Expert Comment

by:Dauhee
ID: 21838148
Hi tedbilly, I was asking MrBeebs where the passwords are stored, obviously you don't know that.

I never said SSL would secure the server - that is outside the scope of this post. It is essential however for transmitting passwords.

We find out where the passwords are stored before comment can be given.

P.S.
" In order to allow users to change Windows passwords you have to lower security" - is totally incorrect. Have a look at a recent post of mine:
http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html
You can try to pick holes in it if you want :), like if the server was compromised and a malicous exe was peeking at memory, but then could just use SecureString, and the server is compromised anyway so whats the point . . .
0
 

Author Comment

by:MrBeebs
ID: 21839010
Hi everyone,

Just a follow up post. The HTR script is a pre-canned one from MS. Yes I know it has some "holes", but it was working before. The script consists of two parts. The one, which I posted the rendering of is called pwdchg.htr which does not contain much except the AD Domain name. It uses the WINNT Provider to communicate to the DC. Once the user enters their info, the script pushes the results to another file called achg.htr. This does its magic, again using the winnt provider. There is a text file that is references which contains error message codes that are referenced by the 2nd script.

Its a strange problem, and the trigger is that changed the domain name variable as I wanted the site to authenticate users to a new AD Domain. And yes, the server hosting these files is a domain member of the AD Domain.

I am not sure what security settings the WINNT Provider needs, but that may be a factor.
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21840459
Cool - so you are changing AD user passwords. So is IIS configured to be anonymous - users have will have to supply their username + password. Or if not anonymous, the users logged on account can be obtained from their pc - this will tighten things down a little further security wise but not essential

MrBeebs - we won't be able to develop a fully working solution but can aid with the foundation. What is your preferance for scripting - vbscript or javascript. Just my own preferance for this stuff is vbscript.

Typically to change a password it would be:

Set objUser = GetObject("LDAP://cn=KenMyer,ou=Finance,dc=fabrikam,dc=com")
objUser.SetPassword("i5A2sj*!")

obtained from:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1015.mspx
0
 

Author Comment

by:MrBeebs
ID: 21840496
Hi Dauhee,

Yes. IIS is configured to be anonymous and is using a local account on the member server. Thank you for your help. I would prefer vbscript.

I should add more background. The IIS site was working fine upto the point when I changed the AD Domain name in the script. This is because it was the final task in migrating uses and computers into a new AD Domain. So the break may be caused by the new domain controller which is likey operating under a high level of security that the old one.

After changing the domain name in the scripts, I was and am getting:
"specified user or domain does not exist"

So switching to LDAP from WINNT may be the trick.
0
 
LVL 7

Accepted Solution

by:
Dauhee earned 500 total points
ID: 21841753
I would see the following options then:

1) Turn off anonymous access (for the relevant web page at least) so the asp script will have privledges of the logged in user to change the password
2) Leave anonymous on but change from iusr_XXX to a domain account that has as little access as possible but can change users passwords
3) Temporarily elevate privileges in your script like something I suggested in http://www.experts-exchange.com/Microsoft/Development/.NET/Q_23502025.html

If you choose 3, hopefully .NET will be an option for you?
0
 

Author Comment

by:MrBeebs
ID: 21845827
Hi Dauhee,

Thanks. I will try option 2 first. If it is of any use, attached are the 2 scripts that I am using. They are both in a word doc, with the first script supplying data to the second. Perhaps this might help.
Scripts.doc
0
 
LVL 7

Expert Comment

by:Dauhee
ID: 21845954
Thanks MrBeebs.

If that doesn't work, II would be interested if you debugged out (response.write) the relevant values that are used in your code below:

set root = GetObject("WinNT:")
set pUser = root.OpenDSObject("WinNT://" & domain & "/" & username & ",user", username, Request.Form("old"),1)
pUser.ChangePassword Request.Form("old"), Request.Form("new")

and then run the script as a .vbs file on the server desktop (with decoded values)

Best of luck!
0
 

Author Comment

by:MrBeebs
ID: 21858699
Hi everyone,

My problem is fixed. I think I had a number of problems, but MS article 831047 pretty much nailed a big part of it. Specifically I had to register .asp and .htr exensions to the asp.dll in the applications mapping windows for the virtual directory hosting the scripts. That took care of one part of the problem.

As for the ability to communicate to the domain, I believe it was a GPO issue and specifically access to the network and the fact that the win2k boxes were not getting the GPO settings.

Thanks everyone for your help.

Regards
0
 

Author Closing Comment

by:MrBeebs
ID: 31469207
I would also add this reference to an MS article which helped..
MS article 831047 .
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question