If the account does not have "user must change at next login" checked, I can change the password.
However, if the box is checked, I get a bad password error when I try to access the user.
LogOnUser() returns the correct error code so I know the user must change their password.
As Joe Kaplan says here (back in 2004), I can't bind to the user to be able to change their passwords.
It's the same issue whether using AccountManagement/PrincipalContext or DirectoryEntry/DirectorySearcher.
I did this on a project at my last position. Rather than to try to bind to the user with their own credentials, we set up an AD account with only the rights to make the password change.
So, once you have the error code indicating that the user must change their password, ask for the new password, grab the user as admin, and make the change.
As I recall, we had to pass the admin username and password explicitly to make it work, rather than relying on the credentials the code was running under.
For security, we stored an encrypted copy of the limited admin username and password in the registry, and decrypted it when we were making the call.
Code will be something like this:
PrincipalContext dc = new PrincipalContext(ContextType.Domain,
"www.yourdomain.com", "dc=yourdomain,dc=com",
ContextOptions.SimpleBind, "AdminUserName", "AdminPassword");
UserPrincipal usr = UserPrincipal.FindByIdentity(dc,
"UserWhoNeedsPasswordChanged");
usr.ChangePassword("oldPass", "newPass");
Related
I am faced with a beautiful enigma. In wordpress I have a widget that allows you to login with social login (google and facebook). When you login for the first time, the system automatically generates a password and username. This works well. I checked the database and password is correctly present as hashed.
Now, the problem is that if the user goes into profile settings and wants to change their password they have to enter current password first, but they can't know it since it was generated automatically.
I would like to give the user full control over the security of his account, so that he can change his password even if he is logged in with the social login.
So I foresee three possible solutions
Allow the password to be changed without entering the current one (but it seems insecure).
Email the automatically generated password (and I have no idea how I could do it). Or alternatively view it in the user's profile but I don't know how safe it is.
Disable social login and rely on the classic registration :)
Has anyone faced a similar situation before? Can you clarify this with some standard method / practice ?
You can allow the user to ask for a new password he/she specifies. The user will specify the password twice (password and confirm password fields) and then you:
encrypt the password the user asked for
store the encrypted value somewhere as password candidate (metadata, perhaps)
send an email to the user so he/she can confirm that he/she indeed asked for a password
once the user clicks on the link you have sent to him/her, replace the value of the password with the password candidate and remove the password candidate
Don't forget that the user is already logged in when he/she changes his/her password, adding an email validation to the password he/she asked for is pretty safe.
I am currently working with OpenLDAP. In the LDAP policy, the attribute "pwdGraceAuthnLimit" values 3.
When a user's password is expired, the user still has a grace of 3 times where he can log in. During the grace time, the user must change his password.
To change his password, the user must enter the old password and new password.
The problem is when I try to check the old password.
To check the old password, I use SpringLDAP and the method "authenticate of the class LdapTemplate.(https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/core/LdapTemplate.html).
Each time I call the method authenticate, an attribute "pwdGraceUseTime" is added in the LDAP for the login. So, the number of grace is decremented by 1 for the login.
I have also tried to use the method which is described in the paragraph 4.2 here (https://www.baeldung.com/spring-ldap) but the result is the same.
I have also tried to delete the attribute "pwdGraceUseTime" for the login but it is not possible, I have an error (NO-USER-MODIFICATION).
Could you tell me if it is possible to check the old password without decrementing the grace number because if there is only one grace left for the login and I call the method authenticate, the account is locked?
I'm trying to change the admin password. I get this error:
invalid authentication ticket
It's a known issue: https://issues.sonatype.org/browse/NEXUS-10252
You need just to change your password within 15 seconds after entering current password.
I have a hack(ethical) and hence alternate but longer way to do this :-)
Steps:-
Create a new admin user(previously logged in using admin default credentials) - different user name, etc, etc
Now login using new(admin) user that you created in step 1.
Delete the previous admin user (the default one)
Again create a new admin user using new credentials
Login using admin user that you just created, and problemo solved :-)
It looked like i was changing the password and something else at the same time. I had to save the profile and then proceed with the password change.
I am using active directory in my ASP.NET project and whenever user register in the site,an account is created in AD. There is an Forgot Password link.Is it possible to get user password from AD.I can get the name or email, but I don't know if I can get the password.
That is impossible. I would suggest that you do not implement 'forgot password' functionality, but rather 'reset password'. You generate a new password, reset the password in Active Directory and send the new password to the user.
EDIT: Based on the information in your comment. First of all, it is a very bad idea to use an administrator account the way you use it now, with the account name and password as part of your code. You're running an ASP.NET site, so you should configure the application pool to run with this account.
Second, you should simply create a DirectoryEntry with the correct path and reset the password. I'm not sure what your oEntry is:
var userEntry = new DirectoryEntry(
"LDAP://CN=SomeUser,OU=Users,DC=yourdomain,DC=com");
using (userEntry)
{
userEntry.Invoke("SetPassword", new object[] { "NewPassword" });
userEntry.CommitChanges();
}
It is impossible to get existing password for users from active directory since it is hashed with sid. But you can get new password that are going to set for users in AD. For that you need to register a password filter in every domain controller. Whenever password change request come to dc it will invoke registered password filter on both pre , post password change to User.
Refer link
https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx
I have a webapp that uses Forms Authentication using ActiveDirectoryMembershipProvider.
That works fine... users can do login successfully.
Once the user do login, he can change the password.
We use a ChangePassword control that retrieve the Membership information and uses the OLD and new password to change the user's password. THAT Doesn't work.
The Exception message thrown is that the password doesn't fits the password policies (Not the message of the provider, but the underlying COM object. But this is not the case, as going to the ActiveDirectory console and changing the password there do works. When using the ActiveDirectory console we used a quite simple password: "Password01".
The user in ActiveDirectory is set to Allow changing password. All our users are stored in a certain OU and the connection string to AD points to this OU also. Again, the connection is successfull as we can do Login.
Any other thing that can prevent us to change Password?
Exception information
System.Web.Security.MembershipPasswordException: The password supplied is invalid.
Passwords must conform to the password strength requirements configured for the default provider.
---> System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)
--- End of inner exception stack trace ---
at System.Web.Security.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword)
at System.Web.Security.MembershipUser.ChangePassword(String oldPassword, String newPassword)
Well, sorry for the inconvenience...
The problem was that the Active Directory Administrator had set that you can wait a day before changing the password.
So, if we create a user... the USER must wait 1 day to change his password.
The Administrator can reset a password without this restriction.
Thanks for your comments.
When you configure the membership provider in the web.config there are several password related values that can be set, namely:
MinRequiredNonAlphanumericCharacters
MinRequiredPasswordLength
PasswordStrengthRegularExpression
I would first make sure that all of these are set to values which will match up with ActiveDirectory.
Next, make sure that the connectionProtection attribute is set to SignAndSeal, you cannot change passwords otherwise:
connectionProtection="SignAndSeal"
Besides those suggestions, I looked in Reflector and all the COM errors (except 0x7FF8FAD2) are being thrown straight up to the client. Error 0x800708C5 appears in the MSDN in several places but always with the text that password complexity is not sufficient.