In the password change form, you can use the current password as the new password and it will be accepted:
Current Password: pass1234
New PasswordL pass1234
Confirm: pass1234
The password has been changed
What is the best way to prevent users setting a new password with the value of their current password?
Thanks.
Related
I would like my app to retrieve the most recent signed-in username on the login page. Instead of the username field coming when it's blank, I would like it to come when it is pre-filled with the username of the most recent user.
Do something like this when initializing the text field:
myTextField.setText(Preferences.get("lastLogin", ""));
Then in the logged-in event processing code:
Preferences.put("lastLogin", myTextField.getText());
I have written code using JNDI for creating users using DirContext in AD.
After I create the user I am not able to login with those credentials. When I manually reset the password for that user in AD, I am able to login.
Here I have placed my code for your reference,
Hashtable<String, String> ldapenv = new Hashtable<>();
ldapenv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapenv.put(Context.PROVIDER_URL, "ldap://10.95.144.139:389");
ldapenv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapenv.put(Context.SECURITY_PRINCIPAL, "CN=Administrator,CN=Users,dc=Merck,dc=local");
ldapenv.put(Context.SECURITY_CREDENTIALS, "Merck2017");
DirContext context = new InitialDirContext(ldapenv);
Attributes attributes = new BasicAttributes();
// Create the objectclass to add
Attribute objClasses = new BasicAttribute("objectClass");
objClasses.add("top");
objClasses.add("person");
objClasses.add("organizationalPerson");
objClasses.add("user");
// Assign the username, first name, and last name
String cnValue = new StringBuffer(user.getFirstName()).append(" ").append(user.getLastName()).toString();
Attribute cn = new BasicAttribute("cn", cnValue);
Attribute sAMAccountName = new BasicAttribute("sAMAccountName", user.getUserName());
Attribute principalName = new BasicAttribute("userPrincipalName", user.getUserName()
+ "#" + "merck.local");
Attribute givenName = new BasicAttribute("givenName", user.getFirstName());
Attribute sn = new BasicAttribute("sn", user.getLastName());
Attribute uid = new BasicAttribute("uid", user.getUserName());
// Add password
Attribute userPassword = new BasicAttribute("userPassword", user.getPassword());
Attribute pwdAge = new BasicAttribute("pwdLastSet","-1");
Attribute userAccountControl = new BasicAttribute("userAccountControl", "544");
// Add these to the container
attributes.put(objClasses);
attributes.put(sAMAccountName);
attributes.put(principalName);
attributes.put(cn);
attributes.put(sn);
attributes.put(givenName);
attributes.put(uid);
attributes.put(userPassword);
attributes.put(userAccountControl);
attributes.put(pwdAge);
// Create the entry
try {
context.createSubcontext(getUserDN(cnValue,"Merck-Users"), attributes);
System.out.println("success === ");
} catch (Exception e) {
System.out.println("Error --- "+e.getMessage());
}
Please help me resolve the following issues:
How do I set AD user password while creating the user using the above code?
How do I set userAccountControl to 66048 in the above code?
How do I create the user enabled while using the above code?
How do I disable the option "user must change the password in next login" while creating the user in the above code?
Thanks in advance.
I don't have all the answers, but this should get you started:
Passwords can only be set over a secure channel, like LDAPS (LDAP over SSL). Since you are connecting to port 389, that is not SSL and AD won't let you set the password. You must connect to the LDAPS port: 636. You may run into issues trusting the SSL certificate. I can't help much here since I'm not a Java developer, but there is an example here.
The answer to your second and third questions is the same: Accounts with no passwords are always disabled. Since you haven't set the password properly, the account will be disabled. Once you figure out how to set the password, you can also set userAccountControl to whatever you need.
You are disabling the "user must change password" option correctly: by setting pwdLastSet to -1. That's the right way to do it. But you may have to fix the other issues first.
Another important thing: I have created AD accounts in .NET, and I have found that I had to create the account first, then go back and set the password and set the userAccountControl attribute after. You may have to do the same.
I am using Azure AD B2C (and MSAL), and have sign up / sign in, edit profile and password reset policies enabled and working.
However, I have noticed an anomaly if you are going through the Edit Profile workflow and select Recover Account, the flow returned is not the same as the Reset Password policy linked to the login flow.
When the user enters identity info and the captcha, it returns the error 'your organisation has not set up a password reset policy', even though I have as it works if you choose it on sign in.
This is how I set password reset
AuthenticationResult authResult = await ADB2CClient.AcquireTokenAsync(Scopes, GetUserByPolicy(accounts, EditProfilePolicy), UIBehavior.NoPrompt, string.Empty, null, AuthorityEditProfile, App.UiParent);
This is how I set Edit Profile
authenticationResult = await ADB2CClient.AcquireTokenAsync(Scopes, firstAccount, UIBehavior.SelectAccount, string.Empty, null, AuthorityResetPassword, App.UiParent);
However, as mentioned the Recover your Account option on Edit Profile clearly triggers a different flow and I'm unclear how to account for that in Policies?
I guess you are passing different policy names when you are getting authenticationResult. For example, In case of password reset policy, you are passing "AuthorityEditProfile" to get the authentciationResult and in case of edit profile, you are passing "AuthorityResetPassword".
Could you change it and try it again.
For edit profile:
AuthenticationResult authResult = await ADB2CClient.AcquireTokenAsync(Scopes, GetUserByPolicy(accounts, EditProfilePolicy), UIBehavior.NoPrompt, string.Empty, null, AuthorityEditProfile, App.UiParent);
For password reset:
authenticationResult = await ADB2CClient.AcquireTokenAsync(Scopes, firstAccount, UIBehavior.SelectAccount, string.Empty, null, AuthorityResetPassword, App.UiParent);
Our domain has a max password age of 90 days. If I do not change my password for 90 days, what attribute(s) does Active Directory set on my user account to denote that my password has expired?
Is it pwdLastSet = 0?
Does it mark my account as disabled via userAccountControl? Or will it just require me to change my password on next login?
Can I manually mark a password as expired for a specific user account?
That's is correct. It sets the pwdLastSet=0. You can mark the password expired using AuthenticablePrincipal.ExpirePasswordNow() method.
Here's how you can expire password for a single account:
public static void ExpirePwdNow(string username)
{
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "yourdomain.com")
{
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, username))
{
if (user != null)
{
user.ExpirePasswordNow();
user.Save();
}
}
}
}
And here's how it looks in AD.
Note* you can do the same thing using PowerShell or VB script. I don't believe there's a way of expiring the password through GUI, but I can't be sure.
I just created computer object in active directory. I set password for computer object using SetPassword Command. How can we verify password for computer object or authenticate with that password? Is there any way to validate that password is valid with that computer?
Validating a computer account password can be done in the same way as user passwords. Computer accounts also have a username SamAccountName.
I'm not sure how to provide an example as you have not specified any programming platform but for the sake of it here is an example using c# and the System.DirectoryServices.AccountManagement namespace.
string password = "securepassword";
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
using (ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(context, "Temp1"))
{
computer.SetPassword(password);
Console.WriteLine(context.ValidateCredentials(computer.SamAccountName, string.Empty).ToString()); // Returns False
Console.WriteLine(context.ValidateCredentials(computer.SamAccountName, password).ToString()); //Returns True
}