I am using active directory in my ASP.NET project and whenever user register in the site,an account is created in AD. There is an Forgot Password link.Is it possible to get user password from AD.I can get the name or email, but I don't know if I can get the password.
That is impossible. I would suggest that you do not implement 'forgot password' functionality, but rather 'reset password'. You generate a new password, reset the password in Active Directory and send the new password to the user.
EDIT: Based on the information in your comment. First of all, it is a very bad idea to use an administrator account the way you use it now, with the account name and password as part of your code. You're running an ASP.NET site, so you should configure the application pool to run with this account.
Second, you should simply create a DirectoryEntry with the correct path and reset the password. I'm not sure what your oEntry is:
var userEntry = new DirectoryEntry(
"LDAP://CN=SomeUser,OU=Users,DC=yourdomain,DC=com");
using (userEntry)
{
userEntry.Invoke("SetPassword", new object[] { "NewPassword" });
userEntry.CommitChanges();
}
It is impossible to get existing password for users from active directory since it is hashed with sid. But you can get new password that are going to set for users in AD. For that you need to register a password filter in every domain controller. Whenever password change request come to dc it will invoke registered password filter on both pre , post password change to User.
Refer link
https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx
Related
I'm working on a Node js project using Firebase. Currently, I store several User fields in the database under their email address. (Users > Email Address > (five different fields)). One of these fields is the user's password.
In my Reset Password workflow, I have Firebase send the User a reset password email. After the user goes through the link in that email, they successfully change their password and can now log in with their new password. My question is how can I grab that new password, and update the Users > Email Address > password field in my database right away? Currently, this field is holding the old password that doesn't have any use any longer.
I don't believe we will need this field for the project, but I want to keep it updated for now in case another member on my team needs it. Thank you
My question is how can I grab that new password, and update the Users
-> Email Address -> password field in my database right away?
By using the standard reset password email mechanism proposed by Firebase you cannot "grab" the password.
You would need to implement your own mechanism as explained in the "Create custom email action handlers" page in the doc.
As evocated by #Kiran in his comment, storing users' passwords in your Firebase DB (Firestore or the RTDB) can be dangerous: you should take care that they cannot be read by some malicious users, typically by using security rules.
It can make sense, from a specific business/admin/organisational reason, to store users' password in a Firebase DB but then you should correctly protect them.
I'm trying to change the admin password. I get this error:
invalid authentication ticket
It's a known issue: https://issues.sonatype.org/browse/NEXUS-10252
You need just to change your password within 15 seconds after entering current password.
I have a hack(ethical) and hence alternate but longer way to do this :-)
Steps:-
Create a new admin user(previously logged in using admin default credentials) - different user name, etc, etc
Now login using new(admin) user that you created in step 1.
Delete the previous admin user (the default one)
Again create a new admin user using new credentials
Login using admin user that you just created, and problemo solved :-)
It looked like i was changing the password and something else at the same time. I had to save the profile and then proceed with the password change.
I am creating an admin interface and the admin needs the ability to create user accounts, pick and change the password.
If I try to call Account.createUser on the Client, it automatically logs the user in as the new user, which is what I do not want.
An approach that will work but I am afraid might be insecure is:
Call a server side Meteor method with the username and password for the new account that the admin has picked.
On the server I can use Accounts.createUser to create the new user with password and it will return the new UserId.
But with this approach I am sending the password in plain text over the wire. We could use https and ssl and I think we will be safe, but is there a more secure way to do this?
A much better practice which avoids any user knowing any other user's password is to create the account on the server (as you suggested) but don't specify a password, instead let the user pick it later. From the docs
Call createUser with the email option and then call
Accounts.sendEnrollmentEmail. This will send the user an email with
a link to set their initial password.
If the account does not have "user must change at next login" checked, I can change the password.
However, if the box is checked, I get a bad password error when I try to access the user.
LogOnUser() returns the correct error code so I know the user must change their password.
As Joe Kaplan says here (back in 2004), I can't bind to the user to be able to change their passwords.
It's the same issue whether using AccountManagement/PrincipalContext or DirectoryEntry/DirectorySearcher.
I did this on a project at my last position. Rather than to try to bind to the user with their own credentials, we set up an AD account with only the rights to make the password change.
So, once you have the error code indicating that the user must change their password, ask for the new password, grab the user as admin, and make the change.
As I recall, we had to pass the admin username and password explicitly to make it work, rather than relying on the credentials the code was running under.
For security, we stored an encrypted copy of the limited admin username and password in the registry, and decrypted it when we were making the call.
Code will be something like this:
PrincipalContext dc = new PrincipalContext(ContextType.Domain,
"www.yourdomain.com", "dc=yourdomain,dc=com",
ContextOptions.SimpleBind, "AdminUserName", "AdminPassword");
UserPrincipal usr = UserPrincipal.FindByIdentity(dc,
"UserWhoNeedsPasswordChanged");
usr.ChangePassword("oldPass", "newPass");
I'm new in ASP.NET and already got a lot of answers here searching on google (THX!).
My task is now to build a website, where authentication is required, so I choosed form based authetication, which is working well.
I need to add functionality, when user can click on link and after redirecting to that website he will get automatically authorized based on GET parameters.
For example:
http://www.mysite.com/login.aspx?username=xxx&password=yyy
So after clicking on such link he will skip login page and continue to page behind.
Could you please help me with that question?
P.S. I'm aware, that it is not secure and username with password will be visible as clear text, but here we are talking about generated username and password which will be available just for one day and it is required to identify user to do one request.
You could do something like.
Make sure the username and password are in the querystring, and then assign them to a username and password varaible.
c#
if (FormsAuthentication.Authenticate(username, password))
{
FormsAuthentication.SetAuthCookie(username, true);
FormsAuthentication.RedirectFromLoginPage(username, true);
}
else { // not authenticated. do something }
vb.net
If FormsAuthentication.Authenticate(username, password) Then
FormsAuthentication.SetAuthCookie(username, true)
FormsAuthentication.RedirectFromLoginPage(username, true)
Else
' not authenticated. do something.
End If
For this to work you will need to import/using System.Web.Security. The true value tells your authentication to set a persistent cookie value.
If you are using SQL Server as the database, the easiest way is to use ASP.NET membership provider. By using that you will be able to authenticate user in an effective way. Here you can use Aspnet_regsql.exe to create required batabase tables. There is a good explanation about Creating a Web Site with Membership and User Login
Hope this will help