Re: Can't log in user having "must change password" flag set (Forms Au

Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One of
my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in page.
According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where we
don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen



---------------------------
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:kE4nGKg5HHA.5204@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Axel,

From your description, you're using forms authentication which validate
the
logon user against the domain active directory, however, you found that
for
those useraccount which has been marked with "User must change password on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no
rights.




.

Relevant Pages

  • Re: Using login alias in Membership Provider
    ... the only name that is ever used in access control lists, role membership ... (such as the Profile properties Dominick mentioned). ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using login alias in Membership Provider
    ... you want to authenticate a user with either his ... the only name that is ever used in access control lists, role membership ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using login alias in Membership Provider
    ... the only name that is ever used in access control lists, role membership ... The problem is that my directory allows users to authenticate with multiple ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Cant log in user having "must change password" flag set (Forms Au
    ... those useraccount which has been marked with "User must change password on ... you can not get it to login through the membership ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: security in windows app
    ... ASP.NET membership & role APIs in winform application(or other non-ASP.NET ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading