Possible to write plug-in to handle password expiry etc.?

Possible to write plug-in to handle password expiry etc.?

am 02.11.2007 10:01:19 von Dylan Nicholson

I'm trying to use IIS's Integrated Windows Authentication to take
advantage of various user management and security features of Windows,
namely password expiry and complexity checking.
But currently if your password expires, or the user flag "must change
password at next logon" has been set, then authentication simply fails
- i.e., IIS doesn't have a built-in mechanism for handling changing
passwords.
So my question is, is it possible to write some sort of plugin on
either the server or the browser side that handles this, that prompts
for a new password, checking it against complexity rules, then
changing it on the server (which presumably requires Admin
privileges)? Better still, does anyone know of an existing product
that does this? If not, what alternatives do I have?

Thanks

Dylan

Re: Possible to write plug-in to handle password expiry etc.?

am 02.11.2007 10:10:29 von Ken Schaefer

Are you talking about local users and passwords? or domain users and
passwords?

IIS has a change password option -
http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com +IIS+Change+Password&meta=

It's utilised by Exchange OWA and ISA Server (amongst others) to allow users
to change their passwords.

Cheers
Ken

"Dylan Nicholson" wrote in message
news:1193961187.699777.24150@i38g2000prf.googlegroups.com...
> I'm trying to use IIS's Integrated Windows Authentication to take
> advantage of various user management and security features of Windows,
> namely password expiry and complexity checking.
> But currently if your password expires, or the user flag "must change
> password at next logon" has been set, then authentication simply fails
> - i.e., IIS doesn't have a built-in mechanism for handling changing
> passwords.
> So my question is, is it possible to write some sort of plugin on
> either the server or the browser side that handles this, that prompts
> for a new password, checking it against complexity rules, then
> changing it on the server (which presumably requires Admin
> privileges)? Better still, does anyone know of an existing product
> that does this? If not, what alternatives do I have?
>
> Thanks
>
> Dylan
>

Re: Possible to write plug-in to handle password expiry etc.?

am 02.11.2007 10:10:29 von Ken Schaefer

Are you talking about local users and passwords? or domain users and
passwords?

IIS has a change password option -
http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com +IIS+Change+Password&meta=

It's utilised by Exchange OWA and ISA Server (amongst others) to allow users
to change their passwords.

Cheers
Ken

"Dylan Nicholson" wrote in message
news:1193961187.699777.24150@i38g2000prf.googlegroups.com...
> I'm trying to use IIS's Integrated Windows Authentication to take
> advantage of various user management and security features of Windows,
> namely password expiry and complexity checking.
> But currently if your password expires, or the user flag "must change
> password at next logon" has been set, then authentication simply fails
> - i.e., IIS doesn't have a built-in mechanism for handling changing
> passwords.
> So my question is, is it possible to write some sort of plugin on
> either the server or the browser side that handles this, that prompts
> for a new password, checking it against complexity rules, then
> changing it on the server (which presumably requires Admin
> privileges)? Better still, does anyone know of an existing product
> that does this? If not, what alternatives do I have?
>
> Thanks
>
> Dylan
>

Re: Possible to write plug-in to handle password expiry etc.?

am 02.11.2007 21:05:31 von Dylan Nicholson

Ken Schaefer wrote:
> Are you talking about local users and passwords? or domain users and
> passwords?

Don't care - the users/passwords are only relevant to the machine
hosting the IIS server. The client is only accessing the system via a
web browser (HTTP) and might well be on a non-Windows system.

>
> IIS has a change password option -
> http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com +IIS+Change+Password&meta=
>
> It's utilised by Exchange OWA and ISA Server (amongst others) to allow users
> to change their passwords.
>
Yes, but that doesn't help the fact that the Integrated Windows
Authentication simply fails when the password has expired, and returns
a 401 Unauthorized (causing the browser to simply re-prompt for the
username/password). IOW, I need some of IIS plugin to trap the event
that occurs when a user password has expired, and redirect the
response to a page that handles password changing etc.

Re: Possible to write plug-in to handle password expiry etc.?

am 02.11.2007 21:05:31 von Dylan Nicholson

Ken Schaefer wrote:
> Are you talking about local users and passwords? or domain users and
> passwords?

Don't care - the users/passwords are only relevant to the machine
hosting the IIS server. The client is only accessing the system via a
web browser (HTTP) and might well be on a non-Windows system.

>
> IIS has a change password option -
> http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com +IIS+Change+Password&meta=
>
> It's utilised by Exchange OWA and ISA Server (amongst others) to allow users
> to change their passwords.
>
Yes, but that doesn't help the fact that the Integrated Windows
Authentication simply fails when the password has expired, and returns
a 401 Unauthorized (causing the browser to simply re-prompt for the
username/password). IOW, I need some of IIS plugin to trap the event
that occurs when a user password has expired, and redirect the
response to a page that handles password changing etc.

Re: Possible to write plug-in to handle password expiry etc.?

am 04.11.2007 10:16:14 von Ken Schaefer

"Dylan Nicholson" wrote in message
news:1194033931.485416.162490@e9g2000prf.googlegroups.com...
>
> Ken Schaefer wrote:
>> Are you talking about local users and passwords? or domain users and
>> passwords?
>
> Don't care - the users/passwords are only relevant to the machine
> hosting the IIS server. The client is only accessing the system via a
> web browser (HTTP) and might well be on a non-Windows system.
>
>>
>> IIS has a change password option -
>> http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com +IIS+Change+Password&meta=
>>
>> It's utilised by Exchange OWA and ISA Server (amongst others) to allow
>> users
>> to change their passwords.
>>
> Yes, but that doesn't help the fact that the Integrated Windows
> Authentication simply fails when the password has expired, and returns
> a 401 Unauthorized (causing the browser to simply re-prompt for the
> username/password). IOW, I need some of IIS plugin to trap the event
> that occurs when a user password has expired, and redirect the
> response to a page that handles password changing etc.

Did you enable the IIS password change functionality?

Cheers
Ken

Re: Possible to write plug-in to handle password expiry etc.?

am 04.11.2007 10:16:14 von Ken Schaefer

"Dylan Nicholson" wrote in message
news:1194033931.485416.162490@e9g2000prf.googlegroups.com...
>
> Ken Schaefer wrote:
>> Are you talking about local users and passwords? or domain users and
>> passwords?
>
> Don't care - the users/passwords are only relevant to the machine
> hosting the IIS server. The client is only accessing the system via a
> web browser (HTTP) and might well be on a non-Windows system.
>
>>
>> IIS has a change password option -
>> http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com +IIS+Change+Password&meta=
>>
>> It's utilised by Exchange OWA and ISA Server (amongst others) to allow
>> users
>> to change their passwords.
>>
> Yes, but that doesn't help the fact that the Integrated Windows
> Authentication simply fails when the password has expired, and returns
> a 401 Unauthorized (causing the browser to simply re-prompt for the
> username/password). IOW, I need some of IIS plugin to trap the event
> that occurs when a user password has expired, and redirect the
> response to a page that handles password changing etc.

Did you enable the IIS password change functionality?

Cheers
Ken

Re: Possible to write plug-in to handle password expiry etc.?

am 04.11.2007 23:19:35 von Dylan Nicholson

On Nov 4, 8:16 pm, "Ken Schaefer"
wrote:
> "Dylan Nicholson" wrote in message
>
> news:1194033931.485416.162490@e9g2000prf.googlegroups.com...
>
>
> > Ken Schaefer wrote:
> >> Are you talking about local users and passwords? or domain users and
> >> passwords?
>
> > Don't care - the users/passwords are only relevant to the machine
> > hosting the IIS server. The client is only accessing the system via a
> > web browser (HTTP) and might well be on a non-Windows system.
>
> >> IIS has a change password option -
> >>http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.c om+IIS+Chan...
>
> >> It's utilised by Exchange OWA and ISA Server (amongst others) to allow
> >> users
> >> to change their passwords.
>
> > Yes, but that doesn't help the fact that the Integrated Windows
> > Authentication simply fails when the password has expired, and returns
> > a 401 Unauthorized (causing the browser to simply re-prompt for the
> > username/password). IOW, I need some of IIS plugin to trap the event
> > that occurs when a user password has expired, and redirect the
> > response to a page that handles password changing etc.
>
> Did you enable the IIS password change functionality?
>
> Cheers
> Ken- Hide quoted text -
>
Yes, as far as I can tell. Not sure how I can test it, but it hasn't
changed the behaviour of the integrated windows authentication mode.
Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
(but if I enable directory browsing I can see it in the listing - if I
create my own HTML or ASPX file, they work, but .ASP files don't).

Re: Possible to write plug-in to handle password expiry etc.?

am 04.11.2007 23:19:35 von Dylan Nicholson

On Nov 4, 8:16 pm, "Ken Schaefer"
wrote:
> "Dylan Nicholson" wrote in message
>
> news:1194033931.485416.162490@e9g2000prf.googlegroups.com...
>
>
> > Ken Schaefer wrote:
> >> Are you talking about local users and passwords? or domain users and
> >> passwords?
>
> > Don't care - the users/passwords are only relevant to the machine
> > hosting the IIS server. The client is only accessing the system via a
> > web browser (HTTP) and might well be on a non-Windows system.
>
> >> IIS has a change password option -
> >>http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.c om+IIS+Chan...
>
> >> It's utilised by Exchange OWA and ISA Server (amongst others) to allow
> >> users
> >> to change their passwords.
>
> > Yes, but that doesn't help the fact that the Integrated Windows
> > Authentication simply fails when the password has expired, and returns
> > a 401 Unauthorized (causing the browser to simply re-prompt for the
> > username/password). IOW, I need some of IIS plugin to trap the event
> > that occurs when a user password has expired, and redirect the
> > response to a page that handles password changing etc.
>
> Did you enable the IIS password change functionality?
>
> Cheers
> Ken- Hide quoted text -
>
Yes, as far as I can tell. Not sure how I can test it, but it hasn't
changed the behaviour of the integrated windows authentication mode.
Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
(but if I enable directory browsing I can see it in the listing - if I
create my own HTML or ASPX file, they work, but .ASP files don't).

Re: Possible to write plug-in to handle password expiry etc.?

am 05.11.2007 11:48:17 von Ken Schaefer

"Dylan Nicholson" wrote in message
news:1194214775.942535.204980@v29g2000prd.googlegroups.com.. .

>> Did you enable the IIS password change functionality?
>>
>> Cheers
>> Ken- Hide quoted text -
>>
> Yes, as far as I can tell. Not sure how I can test it, but it hasn't
> changed the behaviour of the integrated windows authentication mode.
> Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
> (but if I enable directory browsing I can see it in the listing - if I
> create my own HTML or ASPX file, they work, but .ASP files don't).

What's the HTTP status + substatus in the IIS log files? 404.2? or something
else?

Cheers
Ken

Re: Possible to write plug-in to handle password expiry etc.?

am 05.11.2007 11:48:17 von Ken Schaefer

"Dylan Nicholson" wrote in message
news:1194214775.942535.204980@v29g2000prd.googlegroups.com.. .

>> Did you enable the IIS password change functionality?
>>
>> Cheers
>> Ken- Hide quoted text -
>>
> Yes, as far as I can tell. Not sure how I can test it, but it hasn't
> changed the behaviour of the integrated windows authentication mode.
> Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
> (but if I enable directory browsing I can see it in the listing - if I
> create my own HTML or ASPX file, they work, but .ASP files don't).

What's the HTTP status + substatus in the IIS log files? 404.2? or something
else?

Cheers
Ken

Re: Possible to write plug-in to handle password expiry etc.?

am 05.11.2007 23:40:08 von Dylan Nicholson

On Nov 5, 9:48 pm, "Ken Schaefer"
wrote:
> "Dylan Nicholson" wrote in message
>
> news:1194214775.942535.204980@v29g2000prd.googlegroups.com.. .
>
> >> Did you enable the IIS password change functionality?
>
> >> Cheers
> >> Ken- Hide quoted text -
>
> > Yes, as far as I can tell. Not sure how I can test it, but it hasn't
> > changed the behaviour of the integrated windows authentication mode.
> > Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
> > (but if I enable directory browsing I can see it in the listing - if I
> > create my own HTML or ASPX file, they work, but .ASP files don't).
>
> What's the HTTP status + substatus in the IIS log files? 404.2? or something
> else?
>
> Cheers
> Ken

>From the log:

2007-11-05 22:31:58 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
- 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 2
2148074254 1872 481 0

2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
- 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 1
0 1888 564 0

2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /iisadmpwd/
aexp.asp https://demo.hisoftware.com:443/EchidnaQA/ 443 -
211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT
+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 403
18 0 1667 764 0

The first attempt was with the "user must change password at next
logon" flag on, which appears to be logged as 401.2 (even though in
the browser it's shown as a 403 - Forbidden: Access is denied. I then
turned the flag off, at which point the authentication works fine -
but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
something I made myself.

Re: Possible to write plug-in to handle password expiry etc.?

am 05.11.2007 23:40:08 von Dylan Nicholson

On Nov 5, 9:48 pm, "Ken Schaefer"
wrote:
> "Dylan Nicholson" wrote in message
>
> news:1194214775.942535.204980@v29g2000prd.googlegroups.com.. .
>
> >> Did you enable the IIS password change functionality?
>
> >> Cheers
> >> Ken- Hide quoted text -
>
> > Yes, as far as I can tell. Not sure how I can test it, but it hasn't
> > changed the behaviour of the integrated windows authentication mode.
> > Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
> > (but if I enable directory browsing I can see it in the listing - if I
> > create my own HTML or ASPX file, they work, but .ASP files don't).
>
> What's the HTTP status + substatus in the IIS log files? 404.2? or something
> else?
>
> Cheers
> Ken

>From the log:

2007-11-05 22:31:58 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
- 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 2
2148074254 1872 481 0

2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
- 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 1
0 1888 564 0

2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /iisadmpwd/
aexp.asp https://demo.hisoftware.com:443/EchidnaQA/ 443 -
211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT
+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 403
18 0 1667 764 0

The first attempt was with the "user must change password at next
logon" flag on, which appears to be logged as 401.2 (even though in
the browser it's shown as a 403 - Forbidden: Access is denied. I then
turned the flag off, at which point the authentication works fine -
but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
something I made myself.

Re: Possible to write plug-in to handle password expiry etc.?

am 08.11.2007 04:54:01 von Ken Schaefer

"Dylan Nicholson" wrote in message
news:1194302408.097931.45300@q5g2000prf.googlegroups.com...
> On Nov 5, 9:48 pm, "Ken Schaefer"
> wrote:
>> "Dylan Nicholson" wrote in message
>>
>> news:1194214775.942535.204980@v29g2000prd.googlegroups.com.. .
>>
>> >> Did you enable the IIS password change functionality?
>>
>> >> Cheers
>> >> Ken- Hide quoted text -
>>
>> > Yes, as far as I can tell. Not sure how I can test it, but it hasn't
>> > changed the behaviour of the integrated windows authentication mode.
>> > Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
>> > (but if I enable directory browsing I can see it in the listing - if I
>> > create my own HTML or ASPX file, they work, but .ASP files don't).
>>
>> What's the HTTP status + substatus in the IIS log files? 404.2? or
>> something
>> else?
>>
>> Cheers
>> Ken
>
>>From the log:
>
> 2007-11-05 22:31:58 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
> - 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
> +6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 2
> 2148074254 1872 481 0
>
> 2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
> - 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
> +6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 1
> 0 1888 564 0
>
> 2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /iisadmpwd/
> aexp.asp https://demo.hisoftware.com:443/EchidnaQA/ 443 -
> 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT
> +5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 403
> 18 0 1667 764 0
>
> The first attempt was with the "user must change password at next
> logon" flag on, which appears to be logged as 401.2 (even though in
> the browser it's shown as a 403 - Forbidden: Access is denied. I then
> turned the flag off, at which point the authentication works fine -
> but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> something I made myself.

HTH:

http://support.microsoft.com/?id=331834

Cheers
Ken

Re: Possible to write plug-in to handle password expiry etc.?

am 08.11.2007 04:54:01 von Ken Schaefer

"Dylan Nicholson" wrote in message
news:1194302408.097931.45300@q5g2000prf.googlegroups.com...
> On Nov 5, 9:48 pm, "Ken Schaefer"
> wrote:
>> "Dylan Nicholson" wrote in message
>>
>> news:1194214775.942535.204980@v29g2000prd.googlegroups.com.. .
>>
>> >> Did you enable the IIS password change functionality?
>>
>> >> Cheers
>> >> Ken- Hide quoted text -
>>
>> > Yes, as far as I can tell. Not sure how I can test it, but it hasn't
>> > changed the behaviour of the integrated windows authentication mode.
>> > Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
>> > (but if I enable directory browsing I can see it in the listing - if I
>> > create my own HTML or ASPX file, they work, but .ASP files don't).
>>
>> What's the HTTP status + substatus in the IIS log files? 404.2? or
>> something
>> else?
>>
>> Cheers
>> Ken
>
>>From the log:
>
> 2007-11-05 22:31:58 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
> - 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
> +6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 2
> 2148074254 1872 481 0
>
> 2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
> - 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
> +6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.5 0727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 1
> 0 1888 564 0
>
> 2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /iisadmpwd/
> aexp.asp https://demo.hisoftware.com:443/EchidnaQA/ 443 -
> 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT
> +5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 403
> 18 0 1667 764 0
>
> The first attempt was with the "user must change password at next
> logon" flag on, which appears to be logged as 401.2 (even though in
> the browser it's shown as a 403 - Forbidden: Access is denied. I then
> turned the flag off, at which point the authentication works fine -
> but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> something I made myself.

HTH:

http://support.microsoft.com/?id=331834

Cheers
Ken

Re: Possible to write plug-in to handle password expiry etc.?

am 09.11.2007 01:25:35 von Dylan Nicholson

On Nov 8, 2:54 pm, "Ken Schaefer"
wrote:
> "Dylan Nicholson" wrote in message
>
> > The first attempt was with the "user must change password at next
> > logon" flag on, which appears to be logged as 401.2 (even though in
> > the browser it's shown as a 403 - Forbidden: Access is denied. I then
> > turned the flag off, at which point the authentication works fine -
> > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > something I made myself.
>
> HTH:
>
> http://support.microsoft.com/?id=331834
>
Yes, I've tried everything in there.

Re: Possible to write plug-in to handle password expiry etc.?

am 09.11.2007 01:25:35 von Dylan Nicholson

On Nov 8, 2:54 pm, "Ken Schaefer"
wrote:
> "Dylan Nicholson" wrote in message
>
> > The first attempt was with the "user must change password at next
> > logon" flag on, which appears to be logged as 401.2 (even though in
> > the browser it's shown as a 403 - Forbidden: Access is denied. I then
> > turned the flag off, at which point the authentication works fine -
> > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > something I made myself.
>
> HTH:
>
> http://support.microsoft.com/?id=331834
>
Yes, I've tried everything in there.

Re: Possible to write plug-in to handle password expiry etc.?

am 09.11.2007 04:26:48 von Dylan Nicholson

On Nov 9, 11:25 am, Dylan Nicholson wrote:
> On Nov 8, 2:54 pm, "Ken Schaefer"
> wrote:> "Dylan Nicholson" wrote in message
>
> > > The first attempt was with the "user must change password at next
> > > logon" flag on, which appears to be logged as 401.2 (even though in
> > > the browser it's shown as a 403 - Forbidden: Access is denied. I then
> > > turned the flag off, at which point the authentication works fine -
> > > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > > something I made myself.
>
> > HTH:
>
> >http://support.microsoft.com/?id=331834
>
> Yes, I've tried everything in there.

Oh, btw, some progress, managed to enable asp files for the IISADMPWD
directory.

But...accessing https://server-address/IISADMPWD/aexp.pwd return this:


Internet Service Manager
for Internet Information Server 6.0


Your password has expired.

A secure channel ( SSL or PCT ) is necessary in order to change a
password.

SSL/PCT is not installed/enabled on your system, please install it to
enable this functionality.

Access default document or select another document.



(Note that address is https - hence SSL *is* enabled!)


And, further, simply trying to use Integrated Window Authentication on
another virtual directory with an account that has "user must change
password at next logon" still simply fails, no redirection to a change
password script.

Re: Possible to write plug-in to handle password expiry etc.?

am 09.11.2007 04:26:48 von Dylan Nicholson

On Nov 9, 11:25 am, Dylan Nicholson wrote:
> On Nov 8, 2:54 pm, "Ken Schaefer"
> wrote:> "Dylan Nicholson" wrote in message
>
> > > The first attempt was with the "user must change password at next
> > > logon" flag on, which appears to be logged as 401.2 (even though in
> > > the browser it's shown as a 403 - Forbidden: Access is denied. I then
> > > turned the flag off, at which point the authentication works fine -
> > > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > > something I made myself.
>
> > HTH:
>
> >http://support.microsoft.com/?id=331834
>
> Yes, I've tried everything in there.

Oh, btw, some progress, managed to enable asp files for the IISADMPWD
directory.

But...accessing https://server-address/IISADMPWD/aexp.pwd return this:


Internet Service Manager
for Internet Information Server 6.0


Your password has expired.

A secure channel ( SSL or PCT ) is necessary in order to change a
password.

SSL/PCT is not installed/enabled on your system, please install it to
enable this functionality.

Access default document or select another document.



(Note that address is https - hence SSL *is* enabled!)


And, further, simply trying to use Integrated Window Authentication on
another virtual directory with an account that has "user must change
password at next logon" still simply fails, no redirection to a change
password script.

Re: Possible to write plug-in to handle password expiry etc.?

am 09.11.2007 21:00:31 von leroy.symons

On Nov 9, 2:26 pm, Dylan Nicholson wrote:
> On Nov 9, 11:25 am, Dylan Nicholson wrote:
>
> > On Nov 8, 2:54 pm, "Ken Schaefer"
> > wrote:> "Dylan Nicholson" wrote in message
>
> > > > The first attempt was with the "user must change password at next
> > > > logon" flag on, which appears to be logged as 401.2 (even though in
> > > > the browser it's shown as a 403 - Forbidden: Access is denied. I then
> > > > turned the flag off, at which point the authentication works fine -
> > > > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > > > something I made myself.
>
> > > HTH:
>
> > >http://support.microsoft.com/?id=331834
>
> > Yes, I've tried everything in there.

>
> And, further, simply trying to use Integrated Window Authentication on
> another virtual directory with an account that has "user must change
> password at next logon" still simply fails, no redirection to a change
> password script.

Ok, some more progress - I got the ASP scripts in the IISADMPWD
directory to work - and can now use aexp.asp to change my password.
Further, when I try to access the directory with Integrated Windows
Authentication turned on with a user whose password has expired, the
log now shows:

GET /EchidnaQA/ - 401 2

GET /EchidnaQA/ - 401 1

GET /IISADMPWD/aexp.asp - 200 0

BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
Access is denied."
..

Re: Possible to write plug-in to handle password expiry etc.?

am 09.11.2007 21:00:31 von leroy.symons

On Nov 9, 2:26 pm, Dylan Nicholson wrote:
> On Nov 9, 11:25 am, Dylan Nicholson wrote:
>
> > On Nov 8, 2:54 pm, "Ken Schaefer"
> > wrote:> "Dylan Nicholson" wrote in message
>
> > > > The first attempt was with the "user must change password at next
> > > > logon" flag on, which appears to be logged as 401.2 (even though in
> > > > the browser it's shown as a 403 - Forbidden: Access is denied. I then
> > > > turned the flag off, at which point the authentication works fine -
> > > > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > > > something I made myself.
>
> > > HTH:
>
> > >http://support.microsoft.com/?id=331834
>
> > Yes, I've tried everything in there.

>
> And, further, simply trying to use Integrated Window Authentication on
> another virtual directory with an account that has "user must change
> password at next logon" still simply fails, no redirection to a change
> password script.

Ok, some more progress - I got the ASP scripts in the IISADMPWD
directory to work - and can now use aexp.asp to change my password.
Further, when I try to access the directory with Integrated Windows
Authentication turned on with a user whose password has expired, the
log now shows:

GET /EchidnaQA/ - 401 2

GET /EchidnaQA/ - 401 1

GET /IISADMPWD/aexp.asp - 200 0

BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
Access is denied."
..

Re: Possible to write plug-in to handle password expiry etc.?

am 15.11.2007 01:22:37 von Dylan Nicholson

On Nov 10, 7:00 am, wizof...@hotmail.com wrote:
>
> Ok, some more progress - I got the ASP scripts in the IISADMPWD
> directory to work - and can now use aexp.asp to change my password.
> Further, when I try to access the directory with Integrated Windows
> Authentication turned on with a user whose password has expired, the
> log now shows:
>
> GET /EchidnaQA/ - 401 2
>
> GET /EchidnaQA/ - 401 1
>
> GET /IISADMPWD/aexp.asp - 200 0
>
> BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
> Access is denied."

On Nov 10, 7:00 am, wizof...@hotmail.com wrote:

> Ok, some more progress - I got the ASP scripts in the IISADMPWD
> directory to work - and can now use aexp.asp to change my password.
> Further, when I try to access the directory with Integrated Windows
> Authentication turned on with a user whose password has expired, the
> log now shows:
>
> GET /EchidnaQA/ - 401 2
>
> GET /EchidnaQA/ - 401 1
>
> GET /IISADMPWD/aexp.asp - 200 0
>
> BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
> Access is denied."
> .- Hide quoted text -
>
> - Show quoted text -

Never mind - solved the problem, the IISADMPWD virtual directory was
using a different application pool.

The PWD change stuff now works exactly as I wanted - no coding
required!

Thanks for your help.

Dylan

Re: Possible to write plug-in to handle password expiry etc.?

am 15.11.2007 01:22:37 von Dylan Nicholson

On Nov 10, 7:00 am, wizof...@hotmail.com wrote:
>
> Ok, some more progress - I got the ASP scripts in the IISADMPWD
> directory to work - and can now use aexp.asp to change my password.
> Further, when I try to access the directory with Integrated Windows
> Authentication turned on with a user whose password has expired, the
> log now shows:
>
> GET /EchidnaQA/ - 401 2
>
> GET /EchidnaQA/ - 401 1
>
> GET /IISADMPWD/aexp.asp - 200 0
>
> BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
> Access is denied."

On Nov 10, 7:00 am, wizof...@hotmail.com wrote:

> Ok, some more progress - I got the ASP scripts in the IISADMPWD
> directory to work - and can now use aexp.asp to change my password.
> Further, when I try to access the directory with Integrated Windows
> Authentication turned on with a user whose password has expired, the
> log now shows:
>
> GET /EchidnaQA/ - 401 2
>
> GET /EchidnaQA/ - 401 1
>
> GET /IISADMPWD/aexp.asp - 200 0
>
> BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
> Access is denied."
> .- Hide quoted text -
>
> - Show quoted text -

Never mind - solved the problem, the IISADMPWD virtual directory was
using a different application pool.

The PWD change stuff now works exactly as I wanted - no coding
required!

Thanks for your help.

Dylan