tags:

views:

684

answers:

3
+1  Q: 

How do I change a windows password through asp?

I have a web application that uses Integrated Windows Authentication to validate users. Most of them are remote and don't have access to a workstation to update their AD password.

Rather than manually managing passwords my self, I'd like to put together a script so they can change them on their own.

How would I update their windows password through ASP?

+2  A: 

There is a function in the System.DirectoryServices namespace that seems to be able to handle this. You will need to add a reference to it in order to use it.

Here is the article on how to change user passwords: http://msdn.microsoft.com/en-us/library/ms817839.aspx

Jon  2009-02-09 18:31:29
+1  A: 

If you are going to offer this in a website, you should consider the security implications. A self-service password changing website is generally considered a major security risk and is not common.

You mention that your users are remote. If the site will be public, how will they authenticate through Integrated Authentication? They only way I know to make this possible is through VPN. Otherwise, they will have to use Basic Authentication to enter their username and password. This is very insecure, even over SSL.

Here are some recommendations:

  • Secure the site using client certificates. If this is not possible use SSL at a minimum.
  • I would strongly recommend that you implement the actual password-changing logic in a secure webservice. The ASP.NET page should call the webservice to request the change.
  • You should store an audit trail of password changes. DO NOT store the passwords, just an event log of the user, time, and IP address.
  • Test very thoroughly to ensure that the integrated security is recognizing your users properly. Make sure that users cannot accidentally change other users' passwords.
Dave Swersky  2009-02-09 19:01:57
+1  A: 

http://support.microsoft.com/kb/555071

If you can set up IISADMPWD like this, you should be able to change passwords. This is actually an ASP application which relies on a COM component.

Note that IISADMPWD is obsolete and does not ship with IIS 7.0.

Lex Li  2009-02-14 10:25:58

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps