locked
User to change password on first logon RRS feed

  • Question

  • User124969076 posted

    Hi all,

    Some help needed here.  I have a web application that is authenticating against the AD.  I'm on windows authentication and that bit is working fine.

    In a windows LAN environment, when the "user must change password on next logon" or the like option is checked in the AD, the dialogue box to change password is presented to the user.  However, it won't work in the web application environment.  Does anyone have any idea if there's some error that I can catch/property that I can catch to get the users to change the password??

    If not, then what's the usual algorithm like to implement something like this??  Or should I be using Forms authentication??  Any hints would be greatly appreciated.

    Thanks in advance.

     

    Friday, November 23, 2007 4:42 AM

Answers

  • User1191518856 posted

     The attribute pwdLastSet has a value of zero when "User must change password at next logon" is checked. So you should be able to read this attribute and act upon it.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 23, 2007 6:24 AM

All replies

  • User1191518856 posted

     The attribute pwdLastSet has a value of zero when "User must change password at next logon" is checked. So you should be able to read this attribute and act upon it.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 23, 2007 6:24 AM
  • User124969076 posted

    Thanks.  It does what I want but I also realised that I can't check the "change password on logon" option.  Else whatever I'm doing can't work.

    Thanks once again. :)

    Sunday, November 25, 2007 10:00 PM
  • User682573931 posted

    I am also looking for a resolution for this case.

    Unfortunately the suggestion to read the pwdLastSet attribute does not work because the user is unable to authenticate against IIS because "User must change password at next logon" is checked.  So the login attempt fails and the user is unable to even enter the ASP.NET code.

    Does anyone have a suggestion on how to get this to work or know if this is even possible to acheive?

    Friday, May 30, 2008 1:10 PM
  • User124969076 posted

    I actually managed to sort this one out a couple of months ago.

    What I eventually did is to remove the "user must change password at next logon" option and the "expire password" option.  I coded something in place of those options in my code.  So it's kind of a bash through approach but with a deadline, it works, so who really cares...

    So what I did is, when the user enters the pages, i check for the pwdLastSet field in the AD.  The value should be null or 1/1/1601 (can't remember offhand) if the password hasn't been changed before.  So in my code, when I see that the date is either of those values, I redirect the user to a page which requires them to change their password.

    Make sense??

    Sunday, June 1, 2008 10:07 PM
  • User1498937182 posted

    Exactly what I was looking for.  Only thing for me is I am very new to asp.net.  I am not sure if I need to create a script or another asp.net page.  Any suggestions on step approach to make this work. 

    Monday, January 26, 2009 10:57 AM
  • User124969076 posted

    i created another asp.net page that doesn't display to the user. I just redirect it there, process the stuff, then redirect accordingly. I guess you could create a class that your page can call or something if you want.

    Tuesday, January 27, 2009 11:26 AM
  • User1498937182 posted

     How is exactly is it done.  This is were I am leaning.  If I could creat a script or asp.net page in the background that will look at the local user account to see if the password change variable is 1 which then would redirect user to a password.asp page I have, then once they change new password hit ok, then script will redirect them to desired page.  If the users password change variable is 0 they login to page normally. 

     

    Does this make sence and would you have any suggestions on how to go about this.

    Tuesday, January 27, 2009 1:30 PM
  • User124969076 posted

    Here's what I have in my codes and it should help.

    	// you need a user id and password to the AD to retrieve any information from the AD.  it also needs to have sufficient rights.
    string domain = ConfigurationManager.ConnectionStrings["ADConnectionString"].ToString(); string adUser = ConfigurationManager.ConnectionStrings["ADUserId"].ToString(); string adPassword = ConfigurationManager.ConnectionStrings["ADUserPassword"].ToString(); // I copied this off somewhere.. it worked for me so i'm not going to question why
    DirectoryEntry deRoot = new DirectoryEntry(domain, adUser, adPassword, AuthenticationTypes.Secure); DirectorySearcher deSearch = new DirectorySearcher(deRoot); deSearch.Filter = "(&(objectCategory=user)(ANR=" + <some field to find your user > + "))"; deSearch.PropertiesToLoad.Add("pwdLastSet"); SearchResult oRes = deSearch.FindOne(); DateTime temp = new DateTime(1601, 1, 1); TimeSpan ts = (DateTime.Now.Subtract(LoginSession.LastPasswordChange)); TimeSpan ts1 = (DateTime.Now.Subtract(LoginSession.LastLogin)); if (ts1.Days > 90) { LoginSession.Logout(Context.Session.SessionID.ToString()); FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage(FormsAuthentication.LoginUrl); } else if (LoginSession.LastPasswordChange == temp) // users have to change password on first logon { Response.Redirect("ChangePassword.aspx?change=first", true); } else if (ts.Days > 90 && ts1.Days < 90) // users have to change password after 90 days. { Response.Redirect("ChangePassword.aspx?change=expire", true); } else { Response.Redirect("default.aspx"); }
     
    Thursday, February 5, 2009 4:39 AM