"Dylan Nicholson" <wizof***@hotmail.com> wrote in message
news:1193961187.699777.24150@i38g2000prf.googlegroups.com...
> I'm trying to use IIS's Integrated Windows Authentication to take
> advantage of various user management and security features of Windows,
> namely password expiry and complexity checking.
> But currently if your password expires, or the user flag "must change
> password at next logon" has been set, then authentication simply fails
> - i.e., IIS doesn't have a built-in mechanism for handling changing
> passwords.
> So my question is, is it possible to write some sort of plugin on
> either the server or the browser side that handles this, that prompts
> for a new password, checking it against complexity rules, then
> changing it on the server (which presumably requires Admin
> privileges)?  Better still, does anyone know of an existing product
> that does this?  If not, what alternatives do I have?
>
> Thanks
>
> Dylan
>

"Dylan Nicholson" <wizof***@hotmail.com> wrote in message
news:1194033931.485416.162490@e9g2000prf.googlegroups.com...
>
> Ken Schaefer wrote:
>> Are you talking about local users and passwords? or domain users and
>> passwords?
>
> Don't care - the users/passwords are only relevant to the machine
> hosting the IIS server. The client is only accessing the system via a
> web browser (HTTP) and might well be on a non-Windows system.
>
>>
>> IIS has a change password option -
>> http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com+IIS+Change+Password&meta=
>>
>> It's utilised by Exchange OWA and ISA Server (amongst others) to allow
>> users
>> to change their passwords.
>>
> Yes, but that doesn't help the fact that the Integrated Windows
> Authentication simply fails when the password has expired, and returns
> a 401 Unauthorized (causing the browser to simply re-prompt for the
> username/password).  IOW, I need some of IIS plugin to trap the event
> that occurs when a user password has expired, and redirect the
> response to a page that handles password changing etc.

On Nov 4, 8:16 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
wrote:
> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>
> news:1194033931.485416.162490@e9g2000prf.googlegroups.com...
>
>
> > Ken Schaefer wrote:
> >> Are you talking about local users and passwords? or domain users and
> >> passwords?
>
> > Don't care - the users/passwords are only relevant to the machine
> > hosting the IIS server. The client is only accessing the system via a
> > web browser (HTTP) and might well be on a non-Windows system.
>
> >> IIS has a change password option -
> >>http://www.google.com.au/search?hl=en&q=site%3Amicrosoft.com+IIS+Chan...
>
> >> It's utilised by Exchange OWA and ISA Server (amongst others) to allow
> >> users
> >> to change their passwords.
>
> > Yes, but that doesn't help the fact that the Integrated Windows
> > Authentication simply fails when the password has expired, and returns
> > a 401 Unauthorized (causing the browser to simply re-prompt for the
> > username/password).  IOW, I need some of IIS plugin to trap the event
> > that occurs when a user password has expired, and redirect the
> > response to a page that handles password changing etc.
>
> Did you enable the IIS password change functionality?
>
> Cheers
> Ken- Hide quoted text -
>

On Nov 5, 9:48 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
wrote:
> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>
> news:1194214775.942535.204980@v29g2000prd.googlegroups.com...
>
> >> Did you enable the IIS password change functionality?
>
> >> Cheers
> >> Ken- Hide quoted text -
>
> > Yes, as far as I can tell.  Not sure how I can test it, but it hasn't
> > changed the behaviour of the integrated windows authentication mode.
> > Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
> > (but if I enable directory browsing I can see it in the listing - if I
> > create my own HTML or ASPX file, they work, but .ASP files don't).
>
> What's the HTTP status + substatus in the IIS log files? 404.2? or something
> else?
>
> Cheers
> Ken

>From the log:

"Dylan Nicholson" <wizof***@hotmail.com> wrote in message
news:1194302408.097931.45300@q5g2000prf.googlegroups.com...
> On Nov 5, 9:48 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
> wrote:
>> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>>
>> news:1194214775.942535.204980@v29g2000prd.googlegroups.com...
>>
>> >> Did you enable the IIS password change functionality?
>>
>> >> Cheers
>> >> Ken- Hide quoted text -
>>
>> > Yes, as far as I can tell.  Not sure how I can test it, but it hasn't
>> > changed the behaviour of the integrated windows authentication mode.
>> > Oddly if I access the IISADMPWD/text.asp script, it just returns a 404
>> > (but if I enable directory browsing I can see it in the listing - if I
>> > create my own HTML or ASPX file, they work, but .ASP files don't).
>>
>> What's the HTTP status + substatus in the IIS log files? 404.2? or
>> something
>> else?
>>
>> Cheers
>> Ken
>
>>From the log:
>
> 2007-11-05 22:31:58 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
> - 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
> +6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 2
> 2148074254 1872 481 0
>
> 2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /EchidnaQA/
> - 443 - 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE
> +6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 401 1
> 0 1888 564 0
>
> 2007-11-05 22:32:05 W3SVC70772194 DEMO 192.168.121.10 GET /iisadmpwd/
> aexp.asp https://demo.hisoftware.com:443/EchidnaQA/ 443 -
> 211.28.182.194 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT
> +5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> ASP.NET_SessionId=b4cidb45sa1y4355g4bzgy55 - demo.hisoftware.com 403
> 18 0 1667 764 0
>
> The first attempt was with the "user must change password at next
> logon" flag on, which appears to be logged as 401.2 (even though in
> the browser it's shown as a 403 - Forbidden: Access is denied.  I then
> turned the flag off, at which point the authentication works fine -
> but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> something I made myself.

On Nov 8, 2:54 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
wrote:
> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>
> > The first attempt was with the "user must change password at next
> > logon" flag on, which appears to be logged as 401.2 (even though in
> > the browser it's shown as a 403 - Forbidden: Access is denied.  I then
> > turned the flag off, at which point the authentication works fine -
> > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > something I made myself.
>
> HTH:
>
> http://support.microsoft.com/?id=331834
>

> On Nov 8, 2:54 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
> wrote:> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>
> > > The first attempt was with the "user must change password at next
> > > logon" flag on, which appears to be logged as 401.2 (even though in
> > > the browser it's shown as a 403 - Forbidden: Access is denied.  I then
> > > turned the flag off, at which point the authentication works fine -
> > > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > > something I made myself.
>
> > HTH:
>
> >http://support.microsoft.com/?id=331834
>
> Yes, I've tried everything in there.

> On Nov 9, 11:25 am, Dylan Nicholson <wizof***@hotmail.com> wrote:
>
> > On Nov 8, 2:54 pm, "Ken Schaefer" <kenREM***@THISadOpenStatic.com>
> > wrote:> "Dylan Nicholson" <wizof***@hotmail.com> wrote in message
>
> > > > The first attempt was with the "user must change password at next
> > > > logon" flag on, which appears to be logged as 401.2 (even though in
> > > > the browser it's shown as a 403 - Forbidden: Access is denied.  I then
> > > > turned the flag off, at which point the authentication works fine -
> > > > but I have no idea what the "/iisadmpwd/aexp.asp" request is, it's not
> > > > something I made myself.
>
> > > HTH:
>
> > >http://support.microsoft.com/?id=331834
>
> > Yes, I've tried everything in there.

>
> Ok, some more progress - I got the ASP scripts in the IISADMPWD
> directory to work - and can now use aexp.asp to change my password.
> Further, when I try to access the directory with Integrated Windows
> Authentication turned on with a user whose password has expired, the
> log now shows:
>
> GET /EchidnaQA/ - 401 2
>
> GET /EchidnaQA/ - 401 1
>
> GET /IISADMPWD/aexp.asp - 200 0
>
> BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
> Access is denied."

> Ok, some more progress - I got the ASP scripts in the IISADMPWD
> directory to work - and can now use aexp.asp to change my password.
> Further, when I try to access the directory with Integrated Windows
> Authentication turned on with a user whose password has expired, the
> log now shows:
>
> GET /EchidnaQA/ - 401 2
>
> GET /EchidnaQA/ - 401 1
>
> GET /IISADMPWD/aexp.asp - 200 0
>
> BUT...in the browser I still just see "HTTP Error 403 - Forbidden:
> Access is denied."
> .- Hide quoted text -
>
> - Show quoted text -