Re: Can't log in user having "must change password" flag set (Forms Au

Hi Axel,

Thanks for your followup.

Glad that you've got the answer of this issue. Of course, this will benifit
other community members who encounter the same problem.

Thanks again for sharing it with us!

Have a good day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
From: "Axel Dahmen" <KeenToKnow@xxxxxxxxxxxxxxxxx>


Hi Steven,

thank you for your answer.

Yes, we're using ASP.NET's default ActiveDirectoryMembershipProvider. One
of
my colleagues has opened a ticket with MS on the same day and that's what
they've found out:

The ActiveDirectoryMembershipProvider does not allow users having the "User
must change password on next logon...." flag set to log in. According to MS
this is by design: Because the ActiveDirectoryMembershipProvider doesn't
provide a mechanism to force the user to give a new password at log on,
authentication is blocked.

We've now created an alternative implementation for our users to log on
using standard Windows Security API in our Forms Authentication log-in
page.
According to my colleague who implemented the login solution this is even
better as for the ActiveDirectoryMembershipProvider it seems that it
requires the password characteristics to be given in the web.config where
we
don't think they belong in as password characteristics are already given by
company policies and provided by AD.

Your help has been quite appreciated, Steven. Hope the solution we've found
may help someone else having the same problem.

Best regards,
www.axeldahmen.com
Axel Dahmen



---------------------------
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
news:kE4nGKg5HHA.5204@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Axel,

From your description, you're using forms authentication which validate
the
logon user against the domain active directory, however, you found that
for
those useraccount which has been marked with "User must change password
on
next logon...." flag, you can not get it to login through the membership
API, correct?

As for this issue, I'd like to confirm the following things first:

** Whether you're using the built-in ASP.NET 2.0
ActiveDirectoryMembershipProvider to do the authentication for your
membership service?

** Have you tried creating a new simple ASP.NET web app and use the AD
membership provider to see whether you can repeately repro this problem?

So far based on my research, there does exists some known issue of the AD
membership provider, however, what supprising me is that those known
issue
indicate that the built-in ADmembershipProvider will allow "User must
change password..." account to logon through ASP.NET membership
service(login control). This seems totally opposite to your case.
Therefore, I think there might something else that cause the behavior.

Please feel free to let me know if there is anything I missed or anything
else you found.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#noti
f
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no
rights.






.

Relevant Pages

  • Re: Defining Groups with AD users
    ... Microsoft MSDN Online Support Lead ... For ASP.NET authentication and role based authorization, ... you can configure the membership to use AD ... membership provider and Rolemanager to use SQL server provider. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Defining Groups with AD users
    ... Microsoft MSDN Online Support Lead ... For ASP.NET authentication and role based authorization, ... you can configure the membership to use AD ... membership provider and Rolemanager to use SQL server provider. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Membership Provider for Mult apps
    ... Setting machinekey is the way to make multiple ASP.NET ... application to share forms authentication ticiket. ... Microsoft MSDN Online Support Lead ... As for the ASP.NET application's membership authentication, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Use login control to limit access to certain pages
    ... Membership Database to store your users and want unauthenticated users to ... The resources are scattered as you said, ... I want to confirm which authentication type you are using? ... without validation when request path is in this XML file. ...
    (microsoft.public.dotnet.general)
  • RE: Forms Authentication vs MembershipProvider
    ... First, I'm glad that you've got custom membership provider working, great ... For Forms authentication and membershp service, ... authenticaiton) which is used to provide security authorization (protect ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)