I am using DNN 07.03.04 (45) and I have problem when creating a new user. When notification and random password box is marked (see image) user receives no notification and no random password on given email. Is this a bug?
Regards
It is not a bug. I believe they stopped sending password as plain text strings in an Email since version 7.x (maybe even earlier) for security reasons. That is why you can only reset your password with a token you receive by mail. Before that DNN would send you your password by mail if you had forgotten it (see DNN 6 screenshot for proof).
Related
Currently, Firebase offers the option to send an email to a users email who wishes to change their password. Unfortunately, Firebase does not allow you to edit their password requirements which I believe is locked at requiring only 6 characters.
For many people this is inadequate and insecure.
I recently made an application that allows users to create quizzes either for themselves or for others. In this application, I stores personal information of my users and I wanted to make sure that their accounts were secure so I required more from my passwords. Unfortunately, when a user wishes to change their email, the default Firebase function does not keep my security which leads to confusion as a user can change their passwords according to Firebase's lax constraints but then they still couldn't log in because they used an invalid password. (I blocked invalid passwords from the text box before even checking with Firebase).
After I encountered this error, I came to StackOverflow for help to see if anyone else had this issue and came up with a solution. Unfortunately, I was met with harsh criticism and harassment by users who claim to be Firebase officials and Administrators who did not care about my question.
Then, I after a week of research and testing, I found the solution using React and 3rd party libraries to handle this.
Please, see my answer below and if you have a more creative solution, I would be interested in seeing that as well.
To solve this problem, the only answer is to create your own mailer service with your own basic mailer service, host website, and API.
What you need:
An application which uses Firebase.
A hosted API which uses Firebase and a 3rd party Mailer such as Node with NodeMailer - hosted on Heroku
A React app which can communicate with the API
What I did:
First, I created my API which accepts calls from my specified IP addresses. This API can receive requests to reset a password when the password is known or unknown. When the password is known, I send an email to the user using NodeMailer and I send a special HTML file so the email looks official. It is quite easy to copy the layout of Firebase's emails if you wish.
More Info can be found here: https://nodemailer.com/message/
Then, I created a React App that is hosted on Heroku. When the user clicks a link in the email, it will send them to this website with the required information in the query. This app, much like when the Firebase link is clicked is just a simple text box and submit button. However, now you can customize it to require password confirmation with a second text box. You can also add a company logo and custom colors so it isn't so HTML 1 looking like the link you see from Firebase. Most importantly, you can now control the password that the user enters to add your unique requirements.
On submit, the app will send the new password, username and old password if available to the API.
If you do not know how to create a React App or a Node API, you can see a detailed tutorial here: https://www.techandstartup.com/tutorials/build-api-with-node-express-and-mongodb
Finally, the API can log into the users account if a password is present and then change the password. Detailed steps can be seen from: https://www.codegrepper.com/code-examples/javascript/firebase+user+change+password
If a current password is not present, then the API can delete the user and recreate it with the desired password. Deleting a user can be seen: https://www.codegrepper.com/code-examples/javascript/firebase+delete+user Then you simply recreate a user. Example code: https://www.codegrepper.com/search.php?q=firebase%20createUserWithEmailAndPassword
With these steps, you can now send a password reset email to a user. The email will be completely unique as you will be designing it yourself. The password will be to your exact specifications as your React App will control the data on submit. And the page itself will look much more user friendly as it's not the default Firebase page.
Hopefully this helps you or your company with working around the Firebase reset password with email function. I am still holding out hope that another user may have a more elegant or basic solution than this as creating an API and hosting a website just for 1 function is not appealing in many cases.
I am using DNN version 9, we setup SMTP and its working on testing SMTP while we are adding new user and check "send and mail to email to new user" is not working
I also Set User Registration to Private but no luck.
Setting registration to private will prevent new users from registering.
If the SMTP Test Message is being sent, the most likely culprit is that your SMTP server is refusing to send or relay to outside addresses.
Problems in sending to the SMTP server should generate items in the Admin log.
If the problem is actually in the SMTP Server, you'll need to find someone who can look at it's logs. In the last few weeks, a company was having trouble sending some mails using SendGrid. The problem was that SendGrid was configured to not send emails outside of a narrow address range. Fixing the configuration at SendGrid fixed the problem.
I’m trying to access active directory in our server using Kerberos(GSSAPI).
Firstly try current windows user, if refused, user can input new one.
Most of the documents mentioned Kerberos can authorize without password (current user),but little about login with a new user.
In other soft (e.g. IE) When current user is not accepted, they request me to input a new user/pass. But I got few information about how to imply that.
In Kerberos ,What is the difference between “new user login with password” and “share authority between two links” ?
My goal is to let user input username/password and login AD with Kerberos, if current user is not accepted.(in c++)
The linkage between SSPI and GSSAPI seems to be a huge problem , I searched stackoverflow/google and got about 5-8 quistions/docs ,but none of them seems to help.(I will put links later)
here:ldap_sasl_bind_s(GSSAPI) - What should be provided in the credentials BERVAL structure
What I have tried:
About logging with new user/pass, I got no directions.
About logging with current user (through SSPI), I blocked in the last step - return the 4 byte auth-Id. No idea what to return.
Trying to write 0 or other random number, encrypted and send to server, it just refused.
I am trying to secure my DNN site running on DNN version 7.01.02
WHat i am looking for is that anybody who registers for a new account must enter a valid email id and should be able to login only after he clicks the verification mail.
Currently the way i have it is Once the user enters his Email and chooses a password he is directly logged into the site and only gets the following message.
Here are the site settings for the Website i use to control the user Registration.
So how can i change this config so that the user can only log into the portal once he goes through the verification mail
PS: My verification mail works. I have checked the SMTP settings.
As an administrator, go to Site Settings, User Account Settings and change the User Registration Setting to "Verified."
The user will be required to enter a verification code when they log in for the first time.
I personally use the private setting, but I have a low traffic site. IF you dont mind verifying the accounts you can do that. Also you can set it to redirect to a page where it tells them that the account needs to be approved before they can login
I have an application that runs on Windows Mobile 6 Professional PDA devices. The application is installed by browsing a url from the device and downloading a cab.
Users capture information in the application and this is then replicated back to a SQL 2005 server using merge replication and IIS v6.
Although the user needs to log into the application on the device anybody who knows the url could download and install. Also if you know a users password anyone with a device could update that users information.
I would somehow like to authenticate the devices either at the installation or replication stage (or both).
Is it possible to authenticate a device based on serial number or IMEI (mobile phone ID) number?
Is there a way to load a certificate onto the device so only certificated devices are allowed to connect?
I want a system that is not too hard to implement and support. The users must be able to update their own devices and they are not very good at remembering complicate procedures or password.
One possible solution would be to send the unique device id as part of authentication. There's a post on using GetDeviceUniqueID on the Windows Mobile Team Blog.
You could store this unique id when the user first connect to the server and verify it prior to each merge.
This approach helps to ensure that the user logging in is doing so from their own phone. It solves the problem of a remote intruder downloading your program to their own phone and logging into a legitimate users account. Of course, if such an intruder has access to your users phone AND password, all bets are off.
You have conflicting requirements:
The users must be able to update their
own devices and they are not very good
at remembering complicate procedures
or password.
and:
Also if you know a users password
anyone with a device could update that
users information.
If your users can only (barely) be expected to use a password, then you cannot expect to be able to protect in any case against anyone else who has their password.
There's no 'magic' authentication that will tell you a particular user or device is legitimate beyond what you provide.
You can password protect the download, you can load certificates, you can get the PDA information (and even the cellular information), but unless you add another authentication mechanism, at the end of the day all you've got is a password.
The password is your weakest link, and you seem to be indicating that you can't provide more strict access, but you somehow need it?
If you have another authentication channel (phone, email, SMS) then you can provide a more robust, meaningful authentication.
For instance, you could make your program operation dependent on a "public.key" file with a per-user public key that your server requires for use. Once the user logs in to your website, have them give you their phone number (so now you have the phone number and the password) and send an SMS with a link to a temporary download for the key. Make a new key for each user, keep their private key on the server, and encrypt (or at least authenticate) every transaction between the device and server using this key pair.
Now if someone else wants to pretend they are their user, they have to get that file in one of three ways:
They take it directly off the PDA (they also need the password, as the public key should be protected by the user password)
They get the user to request a new SMS link, and somehow get the link without having the phone
They change the phone number and request a new SMS link
In any case, you are validating not only the password, but also an associate phone number. You can make it hard for users to change the phone number (validate against their email as well when they request a phone number change, have them call in, etc).
Of course you can do the same with other channels of communication, but users are getting more and more used to SMS authentication and download, so it isn't too much more hassle.
-Adam
You could generate slightly different cab file for every download. The only difference would be security token your application would use as user/password analogue. That should be a public key for real security.
You could send them SMS with a code each time they access your application.