473,321 Members | 1,778 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,321 software developers and data experts.

Can't log in user having "must change password" flag set (Forms Au

Hi,

we've got a strange problem here:

We've created an ASP.NET 2.0 web application using Membership.ValidateUser()
to manually authenticate users with our website.

The problem is: If the user has the "User must change password" flag set in
Active Directory, ValidateUser() always returns false if that user wants to
log in.

What is it we are doing wrong? Is there some additional code required to
have a user log-in using the membership provider if that user has that
particular flag set?

Any help is quite appreciated.

Best regards,
www.axel-dahmen.com

PS: Just as a hint: We manually authenticate users as there is some business
logic correlated to our log-in page. So... no, we don't use the Login control.
Aug 23 '07 #1
3 5015
Hi Axel,

From your description, you're using forms authentication which validate the
logon user against the domain active directory, however, you found that for
those useraccount which has been marked with "User must change password on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Aug 24 '07 #2
Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One of
my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in page.
According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where we
don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen

---------------------------
"Steven Cheng[MSFT]" <st*****@online.microsoft.comschrieb im Newsbeitrag
news:kE**************@TK2MSFTNGHUB02.phx.gbl...
Hi Axel,

From your description, you're using forms authentication which validate
the
logon user against the domain active directory, however, you found that
for
those useraccount which has been marked with "User must change password on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
>

Aug 28 '07 #3
Hi Axel,

Thanks for your followup.

Glad that you've got the answer of this issue. Of course, this will benifit
other community members who encounter the same problem.

Thanks again for sharing it with us!

Have a good day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Axel Dahmen" <Ke********@newsgroups.nospam>
>
Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One
of
>my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in
page.
>According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where
we
>don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen

---------------------------
"Steven Cheng[MSFT]" <st*****@online.microsoft.comschrieb im Newsbeitrag
news:kE**************@TK2MSFTNGHUB02.phx.gbl...
>Hi Axel,

From your description, you're using forms authentication which validate
the
>logon user against the domain active directory, however, you found that
for
>those useraccount which has been marked with "User must change password
on
>next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known
issue
>indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

================================================= =

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ault.aspx#noti
f
>ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
>where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
>up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

================================================= =
This posting is provided "AS IS" with no warranties, and confers no
rights.
>>


Aug 29 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Vikrant | last post by:
(1) Under AIX for user 'db2xy1' of DB2/UDB 7.2EE , can I change password (for user db2xy1) by smitty at any time ?, or I have to do db2stop before changing user db2xy1 password by smitty? (2) To...
2
by: Richard Sherratt | last post by:
I create a new user and make them a member of Admins. I then log on as that user and try to modify an existing query. I'm told that I don't have the necessary permissions. The Admins group has full...
3
by: Ivan | last post by:
Hi, how to filter out non-digit chars when user writes text to System.Windows.Forms.TextBox? Thanks, Iavmn
3
by: melanieab | last post by:
Hi, I'd been saying DataGrid.HitTestInfo HitInfo = dg.HitTest(e.X, e.Y); for a while without any problem (of course with using System.Windows.Forms;). Then suddently I got errors and had to add...
2
by: Felix Melendez | last post by:
Hi there! I'd like to know if anyone out there can give me a helping hand. I've developed an asp.net application that uses Forms Authentication. Question: I'd like to give users the ability...
4
by: Svein Erik | last post by:
This is a C# 2005 project: I'm struggling to figure how to make a variable accessible and changeable in several forms in a windows application.. It's only a int variable which is set when the...
18
by: walterbyrd | last post by:
I am trying to develop an app where: the same file, in the same place, will be uploaded, and then processed. Everything I can find about uploading a file, uses a form that requires the user to...
2
by: spncc | last post by:
i'm making Form authenticate page to let the user first logon before using the application. However, like most security manner, the new user is needed to first logon and forced to change password...
1
by: thesti | last post by:
hi, i'm going to develop a program using VB .NET. i've bound some textboxes to the same DataSource (DataSet1.Tables(0). and i enable the user to type the primaryKey of the data in the Table,...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.