We have a ASP.NET website for which users are authenticated using Basic authentication (along with SSL) configured in IIS. The user accounts are stored in Active directory. Currently when users try to navigate to the site, they are presented with login prompt (thrown by IIS) and once the details are entered, they are allowed in if the credentials are correct. All this is taken care of automatically by IIS and Active directory. But we have a new requirement to expire the password after some x number of days and if user tries to login after the password is expired, then we need to show "change password" dialog after user logs in. But I am not sure how this is possible, because once the password is expired and if I try to login after that, then login prompt is displayed again and again. Is there any option in IIS or somewhere else to show "change password" dialog to the user once password is expired (Just like how it works for windows passwords)? Though we can warn the user when the password is about to expire and provide an option to change it before it expires through a custom page, it will be nice to redirect the user to "change password" dialog after it is expired as well, so that it doesn't need to be reset manually by the customer support team.
我们有一个ASP.NET网站,使用IIS中配置的基本身份验证(以及SSL)对用户进行身份验证。用户帐户存储在Active目录中。目前,当用户尝试导航到该站点时,会向他们显示登录提示(由IIS抛出),一旦输入详细信息,如果凭据正确,则允许他们使用。所有这些都由IIS和Active目录自动处理。但是我们有一个新的要求,要求在x天后过期密码,如果用户在密码过期后尝试登录,那么我们需要在用户登录后显示“更改密码”对话框。但我不知道这是怎么回事是可能的,因为一旦密码过期,如果我在此之后尝试登录,则会一次又一次地显示登录提示。在密码过期后,IIS或其他任何地方是否有任何选项向用户显示“更改密码”对话框(就像它对Windows密码的工作原理一样)?虽然我们可以在密码即将到期时警告用户,并提供在通过自定义页面到期之前更改它的选项,但是在用户过期后将用户重定向到“更改密码”对话框也是很好的,所以它不需要由客户支持团队手动重置。
1 个解决方案
#1
1
Unfortunately, there is no simple way to do this.
不幸的是,没有简单的方法可以做到这一点。
Forget that you can do this with Basic authentication. This will always stuck and login/password prompt.
忘记您可以使用基本身份验证执行此操作。这将始终卡住并登录/密码提示。
If, on the other hand, you switch to Forms Authentication with ActiveDirectoryMembershipProvider, there is a chance.
另一方面,如果您使用ActiveDirectoryMembershipProvider切换到Forms身份验证,则有可能。
The chance comes from the fact that your login form can contain an additional link to a page that allows users to change their passwords. Such page would require users to provide the username, old and new password and would execute the ChangePassword method:
您的登录表单可以包含指向允许用户更改其密码的页面的附加链接。此类页面将要求用户提供用户名,旧密码和新密码,并执行ChangePassword方法:
How to programmatically change Active Directory password
如何以编程方式更改Active Directory密码
Unfortunately, the ad membership provider still won't tell your users whether they login/password combination is wrong or the password just expired. A custom provider is required that followsone of these approaches:
很遗憾,广告会员提供商仍然不会告诉您的用户他们的登录/密码组合是错误的还是密码刚刚过期。需要自定义提供程序遵循以下方法之一:
Validate a username and password against Active Directory?
验证Active Directory的用户名和密码?
#1
1
Unfortunately, there is no simple way to do this.
不幸的是,没有简单的方法可以做到这一点。
Forget that you can do this with Basic authentication. This will always stuck and login/password prompt.
忘记您可以使用基本身份验证执行此操作。这将始终卡住并登录/密码提示。
If, on the other hand, you switch to Forms Authentication with ActiveDirectoryMembershipProvider, there is a chance.
另一方面,如果您使用ActiveDirectoryMembershipProvider切换到Forms身份验证,则有可能。
The chance comes from the fact that your login form can contain an additional link to a page that allows users to change their passwords. Such page would require users to provide the username, old and new password and would execute the ChangePassword method:
您的登录表单可以包含指向允许用户更改其密码的页面的附加链接。此类页面将要求用户提供用户名,旧密码和新密码,并执行ChangePassword方法:
How to programmatically change Active Directory password
如何以编程方式更改Active Directory密码
Unfortunately, the ad membership provider still won't tell your users whether they login/password combination is wrong or the password just expired. A custom provider is required that followsone of these approaches:
很遗憾,广告会员提供商仍然不会告诉您的用户他们的登录/密码组合是错误的还是密码刚刚过期。需要自定义提供程序遵循以下方法之一:
Validate a username and password against Active Directory?
验证Active Directory的用户名和密码?