views:

684

answers:

3

I have a web application that uses Integrated Windows Authentication to validate users. Most of them are remote and don't have access to a workstation to update their AD password.

Rather than manually managing passwords my self, I'd like to put together a script so they can change them on their own.

How would I update their windows password through ASP?

+2  A: 

There is a function in the System.DirectoryServices namespace that seems to be able to handle this. You will need to add a reference to it in order to use it.

Here is the article on how to change user passwords: http://msdn.microsoft.com/en-us/library/ms817839.aspx

Jon
+1  A: 

If you are going to offer this in a website, you should consider the security implications. A self-service password changing website is generally considered a major security risk and is not common.

You mention that your users are remote. If the site will be public, how will they authenticate through Integrated Authentication? They only way I know to make this possible is through VPN. Otherwise, they will have to use Basic Authentication to enter their username and password. This is very insecure, even over SSL.

Here are some recommendations:

  • Secure the site using client certificates. If this is not possible use SSL at a minimum.
  • I would strongly recommend that you implement the actual password-changing logic in a secure webservice. The ASP.NET page should call the webservice to request the change.
  • You should store an audit trail of password changes. DO NOT store the passwords, just an event log of the user, time, and IP address.
  • Test very thoroughly to ensure that the integrated security is recognizing your users properly. Make sure that users cannot accidentally change other users' passwords.
Dave Swersky
+1  A: 

http://support.microsoft.com/kb/555071

If you can set up IISADMPWD like this, you should be able to change passwords. This is actually an ASP application which relies on a COM component.

Note that IISADMPWD is obsolete and does not ship with IIS 7.0.

Lex Li