By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,780 Members | 1,549 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,780 IT Pros & Developers. It's quick & easy.

Can't log in user having "must change password" flag set (Forms Au

P: n/a
Hi,

we've got a strange problem here:

We've created an ASP.NET 2.0 web application using Membership.ValidateUser()
to manually authenticate users with our website.

The problem is: If the user has the "User must change password" flag set in
Active Directory, ValidateUser() always returns false if that user wants to
log in.

What is it we are doing wrong? Is there some additional code required to
have a user log-in using the membership provider if that user has that
particular flag set?

Any help is quite appreciated.

Best regards,
www.axel-dahmen.com

PS: Just as a hint: We manually authenticate users as there is some business
logic correlated to our log-in page. So... no, we don't use the Login control.
Aug 23 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Hi Axel,

From your description, you're using forms authentication which validate the
logon user against the domain active directory, however, you found that for
those useraccount which has been marked with "User must change password on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Aug 24 '07 #2

P: n/a
Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One of
my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in page.
According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where we
don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen

---------------------------
"Steven Cheng[MSFT]" <st*****@online.microsoft.comschrieb im Newsbeitrag
news:kE**************@TK2MSFTNGHUB02.phx.gbl...
Hi Axel,

From your description, you're using forms authentication which validate
the
logon user against the domain active directory, however, you found that
for
those useraccount which has been marked with "User must change password on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
>

Aug 28 '07 #3

P: n/a
Hi Axel,

Thanks for your followup.

Glad that you've got the answer of this issue. Of course, this will benifit
other community members who encounter the same problem.

Thanks again for sharing it with us!

Have a good day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Axel Dahmen" <Ke********@newsgroups.nospam>
>
Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One
of
>my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in
page.
>According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where
we
>don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen

---------------------------
"Steven Cheng[MSFT]" <st*****@online.microsoft.comschrieb im Newsbeitrag
news:kE**************@TK2MSFTNGHUB02.phx.gbl...
>Hi Axel,

From your description, you're using forms authentication which validate
the
>logon user against the domain active directory, however, you found that
for
>those useraccount which has been marked with "User must change password
on
>next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known
issue
>indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

================================================= =

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ault.aspx#noti
f
>ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
>where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
>up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

================================================= =
This posting is provided "AS IS" with no warranties, and confers no
rights.
>>


Aug 29 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.