Changing Active Directory Password from ASP.Net Web Page

[Chris Bingham]

Hi,

I’m trying to create a simple ASP.Net 2 web page to allow users to alter
their Active Directory passwords, but I can’t seem to get it working and I
was hoping someone might be able to help me please?
Basically, the situation I’m in is this. I have a small, air-gapped network
for a very limited number of users, about half of who work on Linux systems.
To support them, I’m using Server 2003 R2 with ID Management for Uinx, and I
had planned on using the Password Synchronisation components that come with
IDMU to allow these users to change their passwords. However, the compiled
versions that are supplied don’t work on Redhat Enterprise Linux 4 x64 (which
the Linux systems are running), and the source code that comes with them
won’t compile on it either.

So my plan-b was the web page, and I eventually came up with the following
code;

Dim result As Boolean
Dim ADConnect As New ActiveDirectoryMembershipProvider
Dim config = New System.Collections.Specialized.NameValueCollection()

config.Add("connectionStringName", "ADService")
config.Add("connectionUsername", txtUserName.Text)
config.Add("connectionPassword", txtCurPasswd.Text)
config.Add("connectionProtection", "Secure")
config.Add("enableSearchMethods", "true")
ADConnect.Initialize(ADConnect.Name, config)
result = ADConnect.ChangePassword(txtUserName.Text,
txtCurPasswd.Text, txtNewPasswd1.Text)

with ‘ADService’ being this code in the web.config file;

<add name="ADService" connectionString="LDAP://Server.Lock-Martin.local"/>


However, the result I get back off this (the value of ‘result’) is always
‘false’! I don’t get any error messages, anywhere, it just doesn’t work!!!

I tested that I could connect to AD via LDAP OK using ldp and the same test
user name & password I’d be testing the web page with, it connected OK and I
could view the properties of the test user object.

I tried disabling all of the password policy requirements, but it still
fails! To be honest, I’m not really a proper programmer (I write occasional
scripts, and know a little of VB.Net), and I’m out of ideas with this one!

Any help o advice anyone can give would be greatly appreciated!

Thanks,
Chris

 

[Joe Kaplan]

Is it important for you to use the AD membership provider to implement this,
or are you willing/interested in just coding this functionality directly? I
don't really know why the AD membership provider isn't working and isn't
providing good feedback either, but you can definitely get more control over
the situation by just calling the appropriate AD change password logic
directly.

There's actually a pretty thorough discussion of this topic in ch 10 of my
book, which you can get as a free download from the website in my sig. You
might want to check that out.

Unfortunately, this all does sort of assume you are a developer, so it might
be too much for you to take on.

There is also built in functionality that ships with IIS 6 in the form of
the password admin pages that you may just be able to use directly without
having to code anything. That might be your best bet for a simple password
change site.

Joe K.

 

[Chris Bingham]

Hi Joe,

Thanks for your help!
I had a look at your website & book, but I'm afraid it's a bit beyond me!!

However, your comment about the IIS admin pages gave me an idea...
They weren't suitable themselves, because what I needed to achieve was for
users to be able to change their own passwords, but not anyone else’s. But,
by cannibalising Microsoft’s code, I was able to come up with this;

Dim objUser
Dim strADSIPath
Dim strServerName

'Gets the ComputerName from the system
strServerName = "Server_Nameâ€

'sets the path to the user
strADSIPath = "WinNT://" & strServerName & "/" &
txtUserName.Text & ",user"

'Gets the User from the system
objUser = GetObject(strADSIPath)
objUser.ChangePassword(txtCurPasswd.Text, txtNewPasswd1.Text)
objUser.SetInfo()

Session("Item1") = txtUserName.Text
bolPasswdChanged = True
objUser = Nothing

which works!!

Thanks again for your help, and I hope this code saves someone else all the
time I spent on it!

Thanks,
Chris