• 0

[C#] [IIS7] Password change utility using HttpModules


Question

IIS6 has a component called IISADMPWD, which allowed users to change passwords when they expired or were marked for change on the next logon. IIS7 does not have this feature, and importing the feature from IIS6 did not work.

However you can create HTTPModules in .NET, which allow you to capture events in the HTTP Request pipeline. I am trying to write a similar component like the IISADMPWD, but there are not really any good examples posted.

Has this idea been abandoned by Microsoft and all the web developers?

I was able to write some code to check a user's credentials against active directory and redirect them to a password change page. The only problem is that it doesn't seem to be 100%.

Has anyone seen this idea around or has anyone implemented it?

Link to comment
Share on other sites

7 answers to this question

Recommended Posts

  • 0
IIS6 has a component called IISADMPWD, which allowed users to change passwords when they expired or were marked for change on the next logon. IIS7 does not have this feature, and importing the feature from IIS6 did not work.

However you can create HTTPModules in .NET, which allow you to capture events in the HTTP Request pipeline. I am trying to write a similar component like the IISADMPWD, but there are not really any good examples posted.

Has this idea been abandoned by Microsoft and all the web developers?

I was able to write some code to check a user's credentials against active directory and redirect them to a password change page. The only problem is that it doesn't seem to be 100%.

Has anyone seen this idea around or has anyone implemented it?

What way did you try importing the feature? It was removed form IIS7 because the functionality now lies in Exchange and ISA.

Here is a guide: http://www.microsoft.com/communities/newsg...p;sloc=&p=1

Link to comment
Share on other sites

  • 0

Yeah I already tried that, and it never fired the password change forms like it did in IIS6. This is for use in web applications, not outlook web access, so we don't have that built in functionality. Also we are not running the ISA software. Writing a plugin to the HTTP pipeline was our last option I believe.

Link to comment
Share on other sites

  • 0

So you're looking for the ability to change AD passwords from .NET? There are ways of doing that in either Web or Desktop .NET apps, but for Web especially you need to configure the app to run under an account that has the permissions to do so, or you can impersonate said user to do it too.

Link to comment
Share on other sites

  • 0

Yeah, definitely. Our app pools are all running as a service account, with impersonation turned on. That way there shouldn't be any permission problems preventing the users from changing their password. It's just the HttpModule we wrote, it is not 100% for some reason. It is more than likely firing 50% of the time for some reason. I've been trying to find other examples that use the same idea as us, but it doesn't appear anyone is doing this. We basically write a HttpModule that inherits from IHttpModule. Then you subscribe to an event. AuthenticateRequest, AuthorizeRequest, or AcquireRequestState....one of them. Then you have perform your AD code to check the password expiration status. Then based on that, you let them into the app or pass them to a password change page. That's how the IISADMPWD component from IIS6 worked. So my problem is that my event subscription does not always appear to be running...

Still researching, because it could be because of the order of the events in the Pipeline.

Each Http request will be hit in the code, so you have to filter out the unwanted requests. Otherwise you wil be checking AD on every request and that will be bad.

Link to comment
Share on other sites

  • 0

This page contains a sample of what I am trying to do. I am not trying to recreate Basic Authentication like this article. I am just trying to check an AD property on a user, once per session if possible. I do my check in the AuthenticateUser function. I removed some items from this article that apply to rewriting the BasicAuthentication.

http://learn.iis.net/page.aspx/170/develop...dule-using-net/

Link to comment
Share on other sites

  • 0

I just wanted to expand upon more of my observations/investigation in case it would help.

I set my flag and restarted the app pool.

Tried to log in, but keep getting prompted. BeginRequest, AuthenticateRequest, and EndRequest are not firing.

Unset my flag

Tried logging in and got in. BeginRequest, AuthenticateRequest, and

EndRequest are firing.

Closed Browser

Set my flag

Tried to logging in and went to password change page. BeginRequest,

AuthenticateRequest, and EndRequest are firing.

So I assume, that IIS will not BEGINREQUEST unless the user has been

authenticated prior. Does that sound like a system policy?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.