[THIN] Re: OT: Changing NT password through an SSL website
- From: Frederic Allaert <frederic.allaert@xxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 11 Mar 2004 09:12:57 +0100
Hello Evan,
I think this I what you're after...
Below is some code for changing (expired) passwords through a web form
which I've written for our Intranet. It's dirty code, but it does the job...
Note wrapping may have occurred when posting.
************************************
user = Request.Form("username")
oldpass = Request.Form("passwordold")
newpass1 = Request.Form("passwordnew1")
Domain = "YOURDOMAIN"
// Check if account is locked...
Set oUser = GetObject("WinNT://"& Domain &"/"& user)
if oUser.IsAccountLocked then
Response.Write "<script language=""JavaScript"">window.alert('Your user
account is locked due to at least x invalid login attempts.');</script>"
Response.Redirect "/login.asp"
Response.End
end if
// Set oUser = Nothing
// Find LDAP path...
Set oNet = CreateObject("Wscript.Network")
Set oTrans = CreateObject("NameTranslate")
oTrans.Init 1, Domain
oTrans.Set 3, Domain &"\"& user
sAdsPath = oTrans.Get(1)
Set oNet = Nothing
Set oTrans = Nothing
// Response.Write "LDAP path: " & sAdsPath
// Change password
On Error Resume Next
Dim dso
Dim u
set dso = getObject("LDAP:")
Set u = dso.OpenDSObject("LDAP://"&; sAdsPath,Domain
&"\adminuser","adminpass",ADS_SECURE_AUTHENTICATION)
u.ChangePassword oldpass,newpass1
Set u = Nothing
Set dso = Nothing
If Err Then
AdsiErr()
Else
Response.Write "Change successful..."
Response.end
End If
Sub AdsiErr()
Dim e
e = Err.Number
h = Hex(e)
If h = "80005000" Then
Response.write "An invalid ADSI pathname was passed. "
Elseif h = "1A8" Then
ServerName = Request.ServerVariables("SERVER_NAME")
Response.write "<font color=red><b>The web server " &
ServerName & " does not have permission to change passwords using HTML mode.
In order to be granted this permission, the web server must be a domain
controller in the " & domain & " domain or this .asp script must be served
by a domain admin account instead of the IUSR_<I>MachineName</I>
account.</b></font>"
Response.Write "<br><br><a
href='JavaScript:history.go(-1);'><b>Click here to try
again...</b></a></font>"
Elseif h = "800041E4" Then
Response.write "<font color=red><b>Username not found."
Response.Write "<br><br><a
href='JavaScript:history.go(-1);'><b>Click here to try
again...</b></a></font>"
Elseif h = "8007052F" Then
Response.write "<font color=red><b>Your password could not
be changed. Each password must be used for at least x days.</A></b></font>"
Response.Write "<br><br><a href='/login.asp'><b>Click here to go
back to the login page...</b></a></font>"
Elseif h = "80070056" Then
Response.write "<font color=red><b>The username or old
password is incorrect. <P> <A HREF=chgpass.asp?username=" & user &">Please
try again.</A></b></font>"
Elseif h = "800708C5" Then
Response.write "<font color=red><b>The new password does not
meet the password policies. The password may be too short or you have
already used this password recently. <P> <A HREF=chgpass.asp?username=" &
user & ">Please try again.</A></b></font>"
Else
Response.write "<font color=red><b>Unable to change
password. Debugging information:<P>"
Response.write "Unexpected Error " & e & " (" & Hex(e) & ")"
Response.Write "<br><br><a
href='JavaScript:history.go(-1);'><b>Click here to try
again...</b></a></b></font>"
End If
End Sub
************************************
Be aware that you'll have to run the .asp page under a domain account
that has specific permissions in Active Directory to make password changes.
You can alter this via the IIS MMC console.
Kind regards,
Frederic
-----Original Message-----
From: Evan Mann [mailto:emann@xxxxxxxxxxxxxxxxxxxxx]
Sent: donderdag 11 maart 2004 1:05
To: thin@xxxxxxxxxxxxx
Subject: [THIN] OT: Changing NT password through an SSL website
Hoping someone has seen someone do this or know of a way to do this.
A large number of my users are not connected to the domain. This makes
it difficult to enable GPO's for expiring passwords every 90 days
because their ONLY interaction with something that can talk to the
domain is via website that require auth (NT Auth).
What I ideally want is to be able to set the password age in the GPO and
every time they auth to the website, it will check to see if that
parameter has been met, and if so, prompt them to change their password,
and then let them into the website.
If this cannot be done, my next step would be to manually set the "user
must change password and net logon" field and have something that checks
against this field every time they try to auth to a website.
This would be done via SSL so there are no plain text passwords. It
would obviously have to be some kind of applications/ISAPI/ASP/whatever
that runs as the actual auth, instead of relying on the IIS auth. I'm
just not sure if something exists,or can be coded to do this.
********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting integration
firm in the nation. Emergent OnLine delivers expert
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting integration
firm in the nation. Emergent OnLine delivers expert
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
