farpoint1
asked on
Membership Provider issues
Background:
I have an ASP.NET web site that uses Forms authentication and the ActiveDirectoryMembershipP
Issue:
If a user has forgotten his/her password he/she will call our help desk to ask for the password to be reset. At that time, the help desk user will be able to reset the user's password and email them the new "temporary" password. That works well, but creates a security risk. So the obvious solution would be to check the "force password reset at next logon" when the password reset is done. The problem is introduced here, because the AD Membership provider can not authenticate the user if the "User must change password at next logon" flag is set. So when the user attempts to logon on to the site using the "temporary" password the Membership.Validate() call always returns false.
I tried to skirt this issue by creating a UserPrincipal object for the user attempting the logon, from the logon page. With the UserPrincipal object i can check the LastPasswordSet property to see if i need to force a password change. LastPasswordSet will be blank if the user recently had the password reset and has not changed it since. See example below.
Logon page code behind
C#:
So, with the code above, I can identify the user trying to access my site must change his/her password at next logon. From there i skip the Membership.Validate() call because i know it will fail anyway, and do a Response.Redirect() to my password change screen. I ask the user for the old password (password from help desk), new password and confirm password. However, when i call MembershipUser.ChangePassw
This is where i got stuck. Is there a way to work with the active directory setting "User must change password at next logon" while still using the ActiveDirectoryMembershipP
Here is a snippet of my web.Config settings for the membership info:
My domain controller is running Windows Server 2008 R2.
I use framework 3.5 for all my .NET code.
I have an ASP.NET web site that uses Forms authentication and the ActiveDirectoryMembershipP
Issue:
If a user has forgotten his/her password he/she will call our help desk to ask for the password to be reset. At that time, the help desk user will be able to reset the user's password and email them the new "temporary" password. That works well, but creates a security risk. So the obvious solution would be to check the "force password reset at next logon" when the password reset is done. The problem is introduced here, because the AD Membership provider can not authenticate the user if the "User must change password at next logon" flag is set. So when the user attempts to logon on to the site using the "temporary" password the Membership.Validate() call always returns false.
I tried to skirt this issue by creating a UserPrincipal object for the user attempting the logon, from the logon page. With the UserPrincipal object i can check the LastPasswordSet property to see if i need to force a password change. LastPasswordSet will be blank if the user recently had the password reset and has not changed it since. See example below.
Logon page code behind
C#:
//...
//username is the user trying to logon with the temp password
UserPrincipal up = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)
//...
if (up.LastPasswordSet.HasValue == false)
{//the password has never been changed for this user or was recently reset
if (up.PasswordNeverExpires == false)//ignore users whos password never expires
{//user has never changed their password, or the password has been reset and must be changed
return_value = true;
}
}So, with the code above, I can identify the user trying to access my site must change his/her password at next logon. From there i skip the Membership.Validate() call because i know it will fail anyway, and do a Response.Redirect() to my password change screen. I ask the user for the old password (password from help desk), new password and confirm password. However, when i call MembershipUser.ChangePassw
This is where i got stuck. Is there a way to work with the active directory setting "User must change password at next logon" while still using the ActiveDirectoryMembershipP
Here is a snippet of my web.Config settings for the membership info:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://my.domain.com/CN=Users,DC=my,DC=domain,DC=com"/>
</connectionStrings>
...
<membership defaultProvider="MembershipADProvider" >
<providers>
<clear/>
<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="MyApplication"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountname"
enableSearchMethods="true"
minRequiredNonalphanumericCharacters="0"
/>
</providers>
</membership>
...My domain controller is running Windows Server 2008 R2.
I use framework 3.5 for all my .NET code.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER