[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Membership Provider issues

Posted on 2011-03-02
2
Medium Priority
?
880 Views
Last Modified: 2012-05-11
Background:
I have an ASP.NET web site that uses Forms authentication and the ActiveDirectoryMembershipProvider for authenticating users against my active directory. No issues with that, works well.

Issue:
If a user has forgotten his/her password he/she will call our help desk to ask for the password to be reset. At that time, the help desk user will be able to reset the user's password and email them the new "temporary" password. That works well, but creates a security risk. So the obvious solution would be to check the "force password reset at next logon" when the password reset is done. The problem is introduced here, because the AD Membership provider can not authenticate the user if the "User must change password at next logon" flag is set. So when the user attempts to logon on to the site using the "temporary" password the Membership.Validate() call always returns false.

I tried to skirt this issue by creating a UserPrincipal object for the user attempting the logon, from the logon page. With the UserPrincipal object i can check the LastPasswordSet property to see if i need to force a password change. LastPasswordSet will be blank if the user recently had the password reset and has not changed it since. See example below.

Logon page code behind
C#:
//...
//username is the user trying to logon with the temp password
UserPrincipal up = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)
//...
if (up.LastPasswordSet.HasValue == false)
{//the password has never been changed for this user or was recently reset
            if (up.PasswordNeverExpires == false)//ignore users whos password never expires
            {//user has never changed their password, or the password has been reset and must be changed
                      return_value = true;
             }
}

Open in new window



So, with the code above, I can identify the user trying to access my site must change his/her password at next logon. From there i skip the Membership.Validate() call because i know it will fail anyway, and do a Response.Redirect() to my password change screen. I ask the user for the old password (password from help desk), new password and confirm password. However, when i call MembershipUser.ChangePassword() it always returns false and fails to change the password.

This is where i got stuck. Is there a way to work with the active directory setting "User must change password at next logon" while still using the ActiveDirectoryMembershipProvider and forms auth.


Here is a snippet of my web.Config settings for the membership info:
<connectionStrings>
      <add name="ADConnectionString" connectionString="LDAP://my.domain.com/CN=Users,DC=my,DC=domain,DC=com"/>
</connectionStrings>
...
<membership defaultProvider="MembershipADProvider" >
      <providers>
        <clear/>
        <add name="MembershipADProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider"
             applicationName="MyApplication"
             connectionStringName="ADConnectionString"
             attributeMapUsername="sAMAccountname"
             enableSearchMethods="true"
             minRequiredNonalphanumericCharacters="0"
             />
      </providers>
</membership>
...

Open in new window


My domain controller is running Windows Server 2008 R2.
I use framework 3.5 for all my .NET code.
0
Comment
Question by:farpoint1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Accepted Solution

by:
Rahul Agarwal earned 1500 total points
ID: 35023883
You'll have to custom code that somehow with some sort of "enhanced" AD
membership provider (if you still want to use the membership provider for
the provisioning piece and not just the credentials validation).  You won't
be able to use the native function for "user must change password at next
logon".
0
 

Author Closing Comment

by:farpoint1
ID: 35074971
Answer told me what i already knew. Not much help solving the problem.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us here at EE write code. Many of us write exceptional code; just as many of us write exception-prone code. As we all should know, exceptions are a mechanism for handling errors which are typically out of our control. From database errors, t…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question