I have a vb.net dll that has two functions: one allows a user to change
their password in AD, the second allows the user to view their
distinguishedna me (based on their samaccountname) . Both bind via an
SSL connection and appear to work well.
I am implementing the dll through an asp interface on the DC that holds
the fsmo role of PDC in a domain with several DCs with a replication
delay of up to an hour between the DCs.
The issue I am seeing is that after a user successfully changes their
password they are able to successfully query AD for their distinguished
name with their OLD password for awhile (I am assuming until
replication notifies whichever server they are authenticating against
that their password has changed - at which point the dll throws an
"unknown username or bad password" error). The problem is that I am
pointing to the PDC emulator (the server that the asp/dll runs on) to
make the change - so would ASSUME that this same box authenticates the
username and password... ??
Any thoughts would be welcome.
Code snippet below:
Private iRtnCodeVal As Int32 = 1
Private sDirRoot As String = "dc=mydomain,dc =com"
Private sServer As String = "PDCEmulato rDC/"
Private sDomain As String = "MyDomain"
Public Function ChangePW(ByVal uName As String, ByVal oldPass As
String, ByVal newPass As String) As Boolean
Dim uDN As String = GetDN(uName, sDomain & "\" & uName,
oldPass)
If iRtnCodeVal <> 0 Then
ChangePW = False
Exit Function
End If
Dim uDE As New DirectoryEntry( "LDAP://" & sServer & uDN)
uDE.Authenticat ionType = AuthenticationT ypes.SecureSock etsLayer
uDE.Username = sDomain & "\" & uName
uDE.Password = oldPass
Dim iPWChgRtn As Integer
Try
iPWChgRtn = uDE.Invoke("Cha ngePassword", New Object()
{oldPass, newPass})
Catch ex As Exception
iRtnCodeVal = Err.Number()
ChangePW = False
uDE.Close()
Exit Function
End Try
If iPWChgRtn = 0 Then
iRtnCodeVal = 0
ChangePW = True
Else
ChangePW = False
End If
uDE.Close()
End Function
'------------------
Public Function GetDN(ByVal nameToFind As String, ByVal authU As
String, ByVal authPW As String, Optional ByVal useSSL As Boolean =
True) As String
If InStr(authU, "\") = 0 Then 'Will come in WITH <domain>\
from ChangePW
authU = sDomain & "\" & authU
End If
Dim theEntry As New DirectoryEntry( "LDAP://" & sServer &
sDirRoot)
If useSSL Then theEntry.Authen ticationType =
AuthenticationT ypes.SecureSock etsLayer
theEntry.Userna me = authU
theEntry.Passwo rd = authPW
Dim theSearcher As New DirectorySearch er(theEntry)
theSearcher.Sea rchScope = SearchScope.Sub tree
theSearcher.Fil ter = "(&(samaccountn ame=" & nameToFind & "))"
theSearcher.Pro pertiesToLoad.A dd("distinguish edname")
Try
Dim Rslt As SearchResult = theSearcher.Fin dOne
If Rslt Is Nothing = False Then
Dim prop As Object
Dim outTxt As String
For Each prop In Rslt.Properties ("distinguished name")
outTxt = prop.ToString
Next
GetDN = outTxt
iRtnCodeVal = 0
Else
iRtnCodeVal = 2
End If
Catch ex As Exception
GetDN = ""
iRtnCodeVal = Err.Number()
End Try
theEntry.Close( )
End Function
5  5020 
On that IIS machine, did you do anything with the cache?
It sounds like a user token caching issue from what you described. It's
also possible there have been some GPO changes that would affect this.
Some questions to help narrow this:
Can you test and see exactly how long that window is?
Can you provide more about the architecture? I.e. is the DC running IIS? Is
IIS running on another server and the dll is loaded on the DC?
What is the replication topology?
What client is the user using that allows them to use the old password after
changing it here?
Al
"ABSMunkee" <ut********@hot mail.com> wrote in message
news:11******** **************@ o13g2000cwo.goo glegroups.com.. . I have a vb.net dll that has two functions: one allows a user to change
their password in AD, the second allows the user to view their
distinguishedna me (based on their samaccountname) . Both bind via an
SSL connection and appear to work well.
I am implementing the dll through an asp interface on the DC that holds
the fsmo role of PDC in a domain with several DCs with a replication
delay of up to an hour between the DCs.
The issue I am seeing is that after a user successfully changes their
password they are able to successfully query AD for their distinguished
name with their OLD password for awhile (I am assuming until
replication notifies whichever server they are authenticating against
that their password has changed - at which point the dll throws an
"unknown username or bad password" error). The problem is that I am
pointing to the PDC emulator (the server that the asp/dll runs on) to
make the change - so would ASSUME that this same box authenticates the
username and password... ??
Any thoughts would be welcome.
Code snippet below:
Private iRtnCodeVal As Int32 = 1
Private sDirRoot As String = "dc=mydomain,dc =com"
Private sServer As String = "PDCEmulato rDC/"
Private sDomain As String = "MyDomain"
Public Function ChangePW(ByVal uName As String, ByVal oldPass As
String, ByVal newPass As String) As Boolean
Dim uDN As String = GetDN(uName, sDomain & "\" & uName,
oldPass)
If iRtnCodeVal <> 0 Then
ChangePW = False
Exit Function
End If
Dim uDE As New DirectoryEntry( "LDAP://" & sServer & uDN)
uDE.Authenticat ionType = AuthenticationT ypes.SecureSock etsLayer
uDE.Username = sDomain & "\" & uName
uDE.Password = oldPass
Dim iPWChgRtn As Integer
Try
iPWChgRtn = uDE.Invoke("Cha ngePassword", New Object()
{oldPass, newPass})
Catch ex As Exception
iRtnCodeVal = Err.Number()
ChangePW = False
uDE.Close()
Exit Function
End Try
If iPWChgRtn = 0 Then
iRtnCodeVal = 0
ChangePW = True
Else
ChangePW = False
End If
uDE.Close()
End Function
'------------------
Public Function GetDN(ByVal nameToFind As String, ByVal authU As
String, ByVal authPW As String, Optional ByVal useSSL As Boolean =
True) As String
If InStr(authU, "\") = 0 Then 'Will come in WITH <domain>\
from ChangePW
authU = sDomain & "\" & authU
End If
Dim theEntry As New DirectoryEntry( "LDAP://" & sServer &
sDirRoot)
If useSSL Then theEntry.Authen ticationType =
AuthenticationT ypes.SecureSock etsLayer
theEntry.Userna me = authU
theEntry.Passwo rd = authPW
Dim theSearcher As New DirectorySearch er(theEntry)
theSearcher.Sea rchScope = SearchScope.Sub tree
theSearcher.Fil ter = "(&(samaccountn ame=" & nameToFind & "))"
theSearcher.Pro pertiesToLoad.A dd("distinguish edname")
Try
Dim Rslt As SearchResult = theSearcher.Fin dOne
If Rslt Is Nothing = False Then
Dim prop As Object
Dim outTxt As String
For Each prop In Rslt.Properties ("distinguished name")
outTxt = prop.ToString
Next
GetDN = outTxt
iRtnCodeVal = 0
Else
iRtnCodeVal = 2
End If
Catch ex As Exception
GetDN = ""
iRtnCodeVal = Err.Number()
End Try
theEntry.Close( )
End Function
Thanks for the response.
The IIS server is on the DC itself - in my test environment - it is the
PDC. And it calls the DLL local to IIS.
The only thing that allows me to use the old password is the query
function (GetDN) through the same web interface/dll - and only until
replication takes place (set to 15 minutes between DCs).
What have you done to date regarding the caching?
IIRC, IIS will cache the user's credentials. I assume you're saying that
the user can see the directory objects with the old credentials via the same
web interface? If not, correct me as it may be something else.
Al
"ABSMunkee" <ut********@hot mail.com> wrote in message
news:11******** *************@g 14g2000cwa.goog legroups.com... Thanks for the response.
The IIS server is on the DC itself - in my test environment - it is the
PDC. And it calls the DLL local to IIS.
The only thing that allows me to use the old password is the query
function (GetDN) through the same web interface/dll - and only until
replication takes place (set to 15 minutes between DCs).
I haven't really looked at caching - as the only way to query the
directory through the web interface is via this DLL - which accepts the
username/password from the form and theoretically makes a new bind via
SSL LDAP each time.
I am not relying on IIS for authentication at all. Should I be worried
about the cache in this case?
Theoretically?
I don't honestly have enough information to know for sure if the cache would
be involved in this. Your code and architecture are your own. But it seems
logical that you're running into a caching of credential information based
on the symptoms and IIS is known to do that. It seems a decent theory but
one I can't prove/disprove in this medium. It's best for you to have a look
at your code step by step during the error condition and see if you can spot
the issue. It might also help to drop a note to the ADSI newsgroups and
possible the .net newsgroups to see if anyone has had this issue already and
solved it (hopefully).
Al
"ABSMunkee" <ut********@hot mail.com> wrote in message
news:11******** **************@ g43g2000cwa.goo glegroups.com.. . I haven't really looked at caching - as the only way to query the
directory through the web interface is via this DLL - which accepts the
username/password from the form and theoretically makes a new bind via
SSL LDAP each time.
I am not relying on IIS for authentication at all. Should I be worried
about the cache in this case? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: MyaTix |
last post by:
Hi,
Can someone tell me how I create a login page which
authenticates users against the servers user manager. I
want the login to be a form in my website not a pop up
window!
I would be grateful for any advice relating to this
subject. I have a script for windows 2000 active directory
but was wondering if you could achive the same with
|
by: ABSMunkee |
last post by:
I have a vb.net dll that has two functions: one allows a user to change
their password in AD, the second allows the user to view their
distinguishedname (based on their samaccountname). Both bind via an
SSL connection and appear to work well.
I am implementing the dll through an asp interface on the DC that holds
the fsmo role of PDC in a domain with several DCs with a replication
delay of up to an hour between the DCs.
The issue I...
|
by: Jessica |
last post by:
When I create a single LDAP ActiveDirectory user and use
DirectoryEntry.Invoke("SetPassword"...), the user is created and the
password is set with no problems.
However, when I try to add more than one user by calling my CreateUser
method repeatedly, ADSI throws an exception when I try to set the
password of the second (and all subsequent) users I create. Does
anyone have a sense of why this is happening?
The error states that one or...
|
by: huzz |
last post by:
How do i create a directory entry to access a user's details such as their
email address. Here are the object structure.
domain.co.uk
|
|Computer Services - Type (OU)
|
|Cliff Saran - Type (User)
Cliff Saran's username is csaran, and here is what i am doing but it does
|
by: Joanne |
last post by:
I'm wondering if anyone has come across this problem before - it's got me
stumped (but then again, I don't know a great deal about AD!!)
In a specific set of circumstances, we get a really useful 'Unknown Error'
generated from the DirectoryEntry.Bind method using c# .net (framework v1.1).
I've tried a few things to see if it makes any difference (I'm making
extra-sure the entry, searcher and result collection objects are disposed off...
| | |
by: troywalker |
last post by:
I am new to LDAP and Directory Services, and I have a project that
requires me to authenticate users against a Sun Java System Directory
Server in order to access the application. I have found dozens of
examples of how to authenticate users against Active Directory, but AD
seems to be a different animal than Sun Java System Directory Server.
Could someone provide me with an example of how to authenticate a user
against a Directory...
|
by: webrod |
last post by:
Dear All,
let's say I have a web service.
I would like to authenticate users who try to access it.
I am on a winnt server so I will have to use NTLM but I don't want to
use IIS settings.
Is there a way to authenticate a user using WSE 3.0 against NTLM??
All the samples I have found on the web provide a solution based on
|
by: Kashgarinn |
last post by:
Greetings.
I'm in a bit of a pickle.. at the company where I recently started
work, I discovered that the knowledge base we use sucks, and sucks bad
(oh Lotus Notes, how I loathe thee, let me count the ways)
So for kicks and giggles, I found a nice "personal notebook" solution
on the net called: http://www.tiddlywiki.com/
When this had ballooned into a big, nice knowledge base, I discovered
|
by: Magnus R |
last post by:
In VB.Net I'm trying to find out the names of what Administrative Groups
exist by querying Active Directory. The problem is when I try and query the
children of the key LDAP://CN=Administrative Groups, CN=ExchOrg,
CN=Microsoft Exchange, CN=Services, CN=Configuration, CN=domain, CN=com I
don't get anything except an error that the "Object doesn't exist on the
server." However when I bind to this LDAP path using LDP.exe I can see the...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
