Directory Programming .NET

The users need to be able to change their password and recover lost passwords.  Is it as simple as dragging on the .NET controls for this, or does it require custom code?

after dragging on the controls it seems that change password doesn't work, I enter my password, enter the new one twice, but it still gives the following error:

Password incorrect or New Password invalid. New Password length minimum: 7. Non-alphanumeric characters required: 1.

ADFS and the SSO membership provider don't support any "write" operations to the directory, so if you want to modify stuff in the directory you'll need to do that through a different mechanism.

well, the only account store that would need this are the external ones.  So as long as the web server has rights to edit users in the AD it is a membership of, I should be able to write some custom code to do that work.

Because ADFS is used for the authentication, you can't use the ChangePassword control because it requires that a user be presently authenticated via that membership provider, in this case AD.

Is that right Joe?

I was trying to use the ChangePassword method on the MembershipUser object and it wouldn't work because I never have a user, it's always null.  Can I populate the MembershipUser based on the single sign on identity (SSOI)?  Even then will it allow me to change the password?

DirectoryEntry user = new DirectoryEntry(LDAP://mydomain.com/CN=nate,CN=Users,DC=mydomain,DC=com);

user.Invoke("SetPassword", txtPassword.Text);

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I'm guessing this is because it is using the NetworkService account to perform this?  Would it be better to use the Membership Provider instead?

Finally, something works!

Membership.Provider.ChangePassword(User.Identity.Name.Split('@')[0], txtOld.Text, txtPassword.Text);

Is there an easy way to get the out of the box ChangePassword control to do this instead?

<asp:ChangePassword ID="ChangePassword1" runat="server" MembershipProvider="MembershipADProvider" UserName="<%=User.Identity.Name.Split('@')[0] %>" /> DOES NOT WORK

but this does!

protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)

{

ChangePassword1.UserName = User.Identity.Name.Split('@')[0];

}

not sure why just changing the UserName property on the control doesn't work, but changing it just before it tries the update does.

I think this would be even better if there was a way to just set the current membershipUser when ADFS authenticates, is there a way to do that Joe?

Honestly, I'm pretty confused by what you are doing here as I've never seen anyone try to do any account modification operations using the ADFS membership provider.  It is supposed to be read only.

The ActiveDirectoryMembershipProvider for ASP.NET does support write operations like account creation and password changes.  Is that what you are talking about here?  The AD membership provider isn't really my strong suit as I've never used it for anything in my normal job or tried to use it for provisioning stuff, so I don't have much experience with its quirks.

Sorry for the confusion Joe.

I'm not using ADFS for writes into the account store, I'm not that advanced yet ;)

I'm using the AD membership provider and using the out of the box .NET controls for that.  They are working except the change password just needed that little fix.  It really isn't that big of a deal, I was just hoping to find a more elegant solution, like setting that current MembershipUser to the user when I'm checking authentication, instead of setting the name right before I attempt the password change.

Does that make sense now?

Yes, it does.  Unfortunately, my lack of skills with the AD membership provider itself prevents me from giving you a more elegant solution to this problem, but as long as you've worked through it, I won't worry about it too much.  :)