|
Posted by Joe Kaplan on December 13, 2007, 12:31 pm
Please log in for more thread options We do something very similar internally for users that are not domain joined
and don't get the standard password expiration notification. We send out an
email and direct them to a website that allows pwd change. We use custom
functionality instead of IISADMPWD, but the basics are similar.
This is for password change though, not for self service password reset.
Those are different use cases. If the user needs a password reset due to
expiration or simply a forgotten pwd, then we send them to a different site.
This site authenticates them using either two factor auth (SecurID token) or
via challenge/response questions and then uses a privileged service account
to perform the password reset like an administrator would.
We find we need both solutions.
There is also a sample in ch 10 of my book that shows some examples of
executing queries to find expiring passwords in certain date ranges.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
> Thank you Joe for those informations.
> I will really appreciate if you can give me your point of vue about this
> situation (and if you can confirm that I have "the right solution").
>
> We have an Active Directory domain with a web server hosting a web
> application used by internal users and Internation users. Those
> International users are connecting from various locations (no ADFS
> possible).
>
> International users have accounts in our AD BUT they never open a session
> in this domain.(They are just using this login/password for accessing some
> ressource in our Active Directory)
> Actually, we have to define a "Password never expires" option on each
> internation users accounts because of the password policy in use in our
> domain.
>
> We want to find a way to let International users to reset their passwords
> every 90 days remotely.
>
> For that, we want to send them an email 1 week before the expiration date
> of the password.
> Then, the users will have to connect to a IIS Website with iisadmpwd
> installed.(through HTTPS and a commercial certificate).
> They will then be able to change their passwords.
>
> Do you think it is a good method ?
>
> Thank you again for sharing your knowledge Joe :)
>
> Regards
>
>
>> Interactive logon works differently than remote auth via LDAP.
>> Interactive logon will allow you to change passwords during the logon
>> process and such. You can't do that with LDAP. It either works or it
>> doesn't.
>>
>> Normally, organizations implement some sort of self-service password
>> reset capability for users whose passwords are expired or users who have
>> forgotten their passwords. You are often challenged with verification
>> questions, although the better companies will use two factor auth like
>> smart card to allow this operation.
>>
>> There are a variety of products out there that provide self-service pwd
>> reset capabilities.
>>
>> The code sample you found shows how to do LDAP pwd change using the LDAP
>> API and C. This is doable, but it probably the most difficult approach
>> to use programmatically. You might want to consider .NET if you want to
>> implement this in a web page. Ch 10 of my book has samples which you can
>> download from my site.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>>> Hi Joe,
>>>
>>> your answer is again really interesting, thank you !
>>>
>>> I have found a sample code here : http://support.microsoft.com/kb/269190
>>>
>>> But, you said that users must have the right to authenticate with an
>>> expired password.
>>> Do you see a security issue about this right ?
>>>
>>> (Indeed, a user with an expired password cannot authenticate anymore but
>>> a warning message told him to change his password, right ? So finally I
>>> don't see a security risk by using this right but perhaps I am wrong :))
>>>
>>> Thank you Joe
>>>
>>>
>>>> You can use LDAP to change passwords. The code would depend on the
>>>> programming language you want to write this in. There are many
>>>> options.
>>>>
>>>> Note that you still can't use this to get around the issue with expired
>>>> passwords unless the user can authenticate with an expired password.
>>>>
>>>> LDAP password changes require encryption, so be aware of that. It is
>>>> possible to use either Windows built in encryption with SPNEGO auth (on
>>>> 2003 or higher DCs and XP or higher clients) or use SSL. However, ADSI
>>>> will only use SSL, so if you want to use an ADSI-based solution, you'll
>>>> need SSL on your DCs.
>>>>
>>>> If you are a .NET programmer, we cover this in gory detail in ch 10 of
>>>> our book (see link in my signature).
>>>>
>>>> Joe K.
>>>>
>>>> --
>>>> Joe Kaplan-MS MVP Directory Services Programming
>>>> Co-author of "The .NET Developer's Guide to Directory Services
>>>> Programming"
>>>> http://www.directoryprogramming.net
>>>> --
>>>>> Nobody ? :)
>>>>>
>>>>> Third question so ! :D
>>>>>
>>>>> 3. Another solution could be to change the password through LDAP v3
>>>>> request no ? (from the Web server to a specific DC)
>>>>> If you confirm that it is possible, do you have a sample code for this
>>>>> kinf of solution please ?
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>>> Hi Svyatoslav ,
>>>>>>
>>>>>> thank you for your answer
>>>>>>
>>>>>> 1. About this, could you tell me which policy allow logging on with
>>>>>> expired passwords please ?
>>>>>> 2. I will try if nobody can't give me the information before :D
>>>>>>
>>>>>> Someone has feedbacks about the IIS reset passwords solution ?
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>> 1. You can set policy to allow logging on with expired passwords to
>>>>>>> change the password; otherwise indeed you need anonymous access.
>>>>>>> 2. Interesting question. I'm sure kpassword is not used, which
>>>>>>> leaves us with RPC - maybe encrypted in SMB. Capture traffic when
>>>>>>> changing password on your worksation to fing out - IIS will be same.
>>>>>>> And as secure.
>>>>>>>
>>>>>>> --
>>>>>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>>>>>> -= F1 is the key =-
>>>>>>>
>>>>>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> we would like to be able to let users modifying their password
>>>>>>>> through IIS (for example).
>>>>>>>>
>>>>>>>> Indeed, those users are connecting to a IIS server (in US) from
>>>>>>>> another country (Italy) but with credentials stored on a local DC
>>>>>>>> (DC in US so).
>>>>>>>>
>>>>>>>> Every user has an account on the DC in US but the security policy
>>>>>>>> states that the password has a maximum lifetime of 90 days.
>>>>>>>>
>>>>>>>> The idea is to let them reseting their password through IIS (and
>>>>>>>> IISADMPWD so).
>>>>>>>>
>>>>>>>> I have two questions :
>>>>>>>>
>>>>>>>> 1. What's happened if they didn't change their passwords before it
>>>>>>>> expired ? (Do I need to let the IISADMPWD with anonymous access so
>>>>>>>> ?)
>>>>>>>> 2. What protocol is used when the password is modified from the IIS
>>>>>>>> to the DC ? (of course I will use HTTPS from the client to the
>>>>>>>> IIS).
>>>>>>>>
>>>>>>>> Thank you
>>>>>>>>
>>>>>>>> -- Pascal
>>>>>>>>
>>>>>>>>
>>>>>
>>>>> -- Pascal
>>>>>
>>>>>
>>>
>>> -- Pascal
>>>
>>>
>
> --
> Pascal
>
>
| 
XML Sitemap