Active Directory Web-Based Password Reset

thalm thalm at netcabo.pt
Tue Nov 18 20:38:19 GMT 2003


Jason,
 
The quick and functional way.
Note that this "way" is not taking into account much of the security needed, although some security measures have been taken.
Such as:
- The message returned to the user must always be the same, regardless of the error that occured.
- IIS uses NTLM (Integrated Windows Authentication)
- IIS uses SSL
One "must-do" is to log the error messages (with username and domain) in some place (such as EventLog) so that a reported problem can be further analised and solved.
 
Another way that needs further analisys is how to do it using Kerberos.
You would need a SPN (Service Principal Name) and Delegation.
Haven't had the time to investigate, so a simpler version follows using NTLM.
 
>>>> HTM page <<<<
IIS with SSL, NTLM (Integrated Windows Authentication)
A page with a form asks for (.htm):
- last password
- new password
- confirm new password
 
>>>> ASP page <<<<
After posting do (.asp):
- sDomain (via Request.ServerVariables("LOGON_USER"))
- sUsername (via Request.ServerVariables("LOGON_USER"))
- sOldPwd (via Request.QueryString)
- sNewPwd (via Request.QueryString)
- Execute the following script:
 
--------------------------------------------------------------------
Set oUser = GetObject("WinNT://" & sDomain & "/" & sUsername & ",user")
If Not IsObject(oUser) Then
     Set oUser = GetObject("WinNT:").OpenDSObject( _
          "WinNT://" & sDomain & "/" & sUsername & ",user", sUsername, sOldPwd,1)
End If
If Not IsObject(oUser) Then
     ' User does not exist
     If Err.Number = -2147024843 Then
          Response.Write "User does not exist or invalid password"
 
     ' An error ocurred (Err.Number - Err.Description)
     Else 
          Response.Write "User does not exist or invalid password"
     End If
     Response.End
End If
 
oUser.ChangePassword sOldPwd, sNewPwd
If err.number <> 0 Then
     ' Wrong password
     If Err.Number = -2147024810 Then
          Response.Write "User does not exist or invalid password"
 
     ' bad password policy criteria
     ElseIf Err.Number = -2147022651 Then
          Response.Write "User does not exist or invalid password"
 
     ' An error ocurred (Err.Number - Err.Description)
     Else
          Response.Write "User does not exist or invalid password"
     End If
     Response.End
End If
Response.Write "Success"
--------------------------------------------------------------------
 
Hope it helps,
Tiago Halm
http://www.kodeit.org
 

	-----Original Message----- 
	From: Jason Brooks [mailto:jbrooks at longwood.edu] 
	Sent: Tue 11/18/2003 3:09 PM 
	To: unisog at sans.org 
	Cc: security-basics at securityfocus.com 
	Subject: Active Directory Web-Based Password Reset
	
	


	We are looking at implementing a web-based password reset system for our
	entire campus.  This would allow us numerous enhancements and security
	benefits without requiring a 24 hour help desk staff.  I know that there
	are disadvantages to such a system.  Our initial plan is to develop one
	in-house.  So doing, we don't want to reinvent the wheel, or follow others
	into known pitfalls.  So, what I am requesting is any advice, war stories,
	suggestions, pitfalls, etc you can muster.
	
	Thanks,
	Jason
	
	Jason Brooks
	Information Security Technician
	IITS
	116 - B Coyner
	Longwood University
	201 High Street
	Farmville, VA 23901
	(434) 395-2796
	
	
	---------------------------------------------------------------------------
	Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
	The Presidio integrates PGP data encryption and XML Web Services security to
	simplify the management and deployment of PGP and reduce overall PGP costs
	by up to 80%.
	FREE WHITEPAPER & 30 Day Trial -
	http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
	----------------------------------------------------------------------------
	
	



More information about the unisog mailing list