ADFS 3.0 and force password change

Similar Messages

• How to implement Force password change during authentication

  Description of problem
  Our client requires web applications to support its internal security policy beyond
  normal authentication. This includes:
  - force password change periodically. This should be performed at logon time.
  - maintain password history so that a new password would not repeat any of its
  previous 15 changes.
  We already have an authentication server that satisfy these requirements. However,
  we would also like to base our solution on WebLogic security framework so that
  we can leverage the benefit of the container-managed declarative security (e.g.
  we don't need to use our special cookie to check whether a user is authenticated
  for every web page in the application). So the best scenario for us is to wrap
  up this authentication server using WLS 7.0 authentication SSPI.
  My initial investigation of WLS 7.0 security framework (based on edocs and the
  sample customer security provider codes) convinced me that overall, this is achievable.
  However, I am still left with quite a few questions, which I would like to get
  your help.
  Questions:
  1. (web container) The J2EE-standard container-based authentication is to specify
  <login-config> element. My understanding is that only FORM based authentication
  is applicable. The specified form elements:
  <form method="post" action="j_security_check">
  <INPUT TYPE="TEXT" NAME="j_username">
  <INPUT TYPE= "password" NAME="j_password">
  </form>
  is adequate for authentication. However, if the authentication service provider
  indicates that password change is needed, what would be the most appropriate way
  within WebLogic for the authentication service provider to pass such a flag to
  the web container know so that our application can access it? I guess, a simpler
  question, would be, using the standard <login-config>, webapp knows only about
  authentication fails or succeeds. Can it possibly know more information provided
  by the authentication service provider right after authentication?
  2) If we don't use standard FORM-based authentication, we will code up our own
  authentication control, which could give us a lot more flexibility, but can we
  then bind our Subject obtained through our authentication control to the WebLogic
  Subject that is running the webapp.
  3) (Authentication service provider) Our design is for the custom LoginModule
  to delegate login calls to the authentication server, and throws more refined
  exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
  (all subclassed from LoginException). Another approach is to provide detailed
  information such as password expired in callbacks. Either way, when Authentication
  service provider returns, how our web application can access this refined flag
  of authentication result.
  4) Can our customer authentication service provider use DataSource defined in
  a weblogic server? I ask this question because DataSource itself is a protected
  resource of WebLogic. Will referencing it during authentication initiate another
  authentication cycle?
  Can anyone who has experienced similar requirements and worked solutions please
  give me a hint? I appreciate your guidance.
  regards
  Licheng

  "Licheng" == Licheng <[email protected]> writes:
  Licheng> Description of problem
  Licheng> Our client requires web applications to support its internal security policy beyond
  Licheng> normal authentication. This includes:
  Licheng> - force password change periodically. This should be performed at logon time.
  Licheng> - maintain password history so that a new password would not repeat any of its
  Licheng> previous 15 changes.
  Licheng> ..
  Licheng> We already have an authentication server that satisfy these requirements. However,
  Licheng> we would also like to base our solution on WebLogic security framework so that
  Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
  Licheng> we don't need to use our special cookie to check whether a user is authenticated
  Licheng> for every web page in the application). So the best scenario for us is to wrap
  Licheng> up this authentication server using WLS 7.0 authentication SSPI.
  I believe it's impractical to fit the requirement of forcing a password change
  into the standard JAAS interface.
  I think the only practical way to do this is to implement a servlet filter that
  reads the persistent record of the logged-in user to check for a "force change
  password flag". If it finds this, the servlet filter will forward to a page to
  change your password. Note that the servlet filter may be hit again when
  trying to get to the change password page, so it needs to know to not do the
  check in that case.
  If you implement this, I would strongly urge you to softcode the "change
  password" page URL in your system configuration, and not hardcode it in the
  servlet filter.
  ===================================================================
  David M. Karr ; Java/J2EE/XML/Unix/C++
  [email protected] ; SCJP; SCWCD

• Forcing Password Changes

  I've got some scenarios I've been asked to research regarding expiring passwords and preventing account lockouts. We are on Windows 7.
  If a user is logged in while their password expires, is it possible to force a prompt to have them change their password before they log out.
  If a user's screen is locked while their password expires, is it possible to set a password change prompt when they attempt to unlock?
  I guess the theme is how can password changes be forced before a user can get locked out after password expiration???
  Thanks,
  Matt

  The only thing you can change is the notification about how many days it is before the password expires.
  http://technet.microsoft.com/en-us/library/ee829687(v=ws.10).aspx

• Using AnyConnect NAM for wireless and AD password changes

  Hi,
  I am having a problem with AD password changes and wireless profiles in AnyConnect. Once a user changes their password from their PC and then tries to connect to our WPA2 802.1x wireless it fails to authenticate and I cannot find a way to update the password that works. So we currently delete the wireless profile and create a new one. Is there a way that NAM could pull user/password from login or any other fix. We are also using ACS 4.1. AnyConnect version 3 to 3.0.5080.
  Thanks!                 

  In your anyconnect profile did you set the "use single sign on credentials"? Also did you try the repair option to see if it works after that (I am not suggesting a solution but for troubleshooting). Does logging on and off the machine help resolve the issue? Does this happen on all workstations?
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1166170
  Even though this is for user authentication this bug seems like a candidate:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx03814&from=summary
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• [solved] KDE Forced password change

  Hi, Does anyone know how to turn off the fact that the first login of a new user has to change the password? For some reason that app(change password) is failing and the new users can't login.
  thanks in advance
  --jerry
  Last edited by jk121960 (2012-06-02 18:06:18)

  adamrehard wrote:
  Are you setting the passwords when you create the user?
  I can see why KDE would require a password change if one hasn't been set previously.
  You also could ask for help trying to fix the original issue, which as I understand it, is that the password change app is borked.
  yea the passwords were created when the users were created through the KDE add user utility, I wasn't worried about the change password utility as it is my kids computer. I installed KDE to moce them softly off windows .
  thanks
  --jerry

• Forcing password change

  Is there a mechanism to force a user to change their password after xx days?

  Hi Venky,
  Yes we are setting the pwdMustChange attribute in OID:
  1) Login to oidadmin.
  2) Go to Password Management Policy
  3) Select Enable from Reset Password upon next time.
  Would be great if you can help with this
  TIA
  Greg

• Why can't I login into my Apple account without being forced to change my password.

  I received an email from Apple:
  "The following changes to your Apple ID (xxxxxxxxxxxx) were made on 01 January 2015 at 17:52:54 (GMT):
  Shipping and/or billing address.
  When I log on to check my Shipping and Billing address I am prompted to change my password, which I do NOT want to do.
  I cannot go any further than the forced password change screen.
  How do I check my account details without changing my password?
  I am not happy with being forced to change my password. it almost makes me wonder if I have been redirected to a 'scam' site.

  How are you trying to log into your account ? You can log into an account :
  - via the 'manage your apple id' button on http://appleid.apple.com
  - Store > View Account menu option on a computer's iTunes
  - tapping on the id in Settings > iTunes & App Store on an iOS device
  All three let you view and/or change your billing address, though only the last you let you view payment details. You could try one of the other methods and see if they let you login without requesting a password change.
  This page lists the current requirements for passwords : Security and your Apple ID.
  If you want to check your account's purchase history then you can do so via the Store > View Account menu option on your computer's iTunes, or you can view the last 90 days purchases via http://reportaproblem.apple.com

• NAC Guest server allow password change

  hi,
    i see there is an option to "allow password change" or "force password change" for guest roles in the NGS. But when i created a guest account using this guest role, after webauthentication , there is no prompt to change password. Is this the intended behaviour or is there anything else that i need to configure. Looking at it, i am not sure how the NGS would allow a "guest user" to really overwrite the password by allowing password change. ? is that not a security risk as well for the NGS ? my setup has 5508 anchor controller and NGS communicating via RADIUS.
  regards
  Joe

  Rob,
  We had much the same issue, more around using AD for SSO for sponsors as well as using the NGS as the hotspot. 
  The  way around it for us was to have the NGS sit on the inside of the  network, with a FQDN (fully qualified domain name) that had a public IP address to the outside world,  but also a CNAME to an internal address on the inside of the network and  ran NAT on our firewall at the DMZ to link the public and private IP  together. 
  The flow looks something like this:-
  Wireless Client --> (public IP: NAT'd to private IP) --> Firewall --> NGS on internal network
  NGS on internal network <-- (private IP) sponsor
  NGS on internal network <-- (private IP) active-directory
  The reason we use a CNAME internally is so we can maintain the FQDN which is publically signed by an external CA.
  This seems to work ok.  Also the anchor-controller we  have for guest access also has a FQDN assigned to it's virtual interface  which is also publically signed by an external CA. 
  This stops all the security pop-ups and provides a more seemless experience to wireless clients associating with the network. 
  Security  is taken care of by strictly controlling access to the NGS both on the  anchor controller using ACL's and also on the DMZ firewall.  So if  traffic targetting the NGS comes in from the internet intended for the  NGS from an untrusted/unknown IP range/tcp port then it will not be  permitted.
  Hope this makes sense?

• OAM - Force password reset - eDirectory

  I have a form based authentication scheme that uses eDirectory. Authentication is working. What I want to do is force all users to change their password upon next login. I set up a password policy and defined my Password Change Redirect URL and Password Expiry Warning Redirect URL but I'm not sure what to do to trigger the system to redirect the user to the password change piece after logging in. Is there some attribute in eDirectory I can set for each user to accomplish this? Any other ideas?

  Hi Scott,
  In order to apply password policies, OAM only reacts to attributes that belong to its own password policy class (oblixpersonpwdpolicy) - out of the box, OAM manages these attributes, eg storing the password history or the number of failed login attempts.
  For a forced password change, OAM looks to see if the value of the user's obpasswordchangeflag is set to "true", in which case it will apply the redirect for password change during the login process (OAM automatically updates this attribute when the user's password is changed via the WebPass by an admin). If you want this to be applied to every user, you could do some kind of bulk update of the attribute using an ldap utility.
  Regards,
  Colin

• EDW - setting and enforcing password policies

  We would like to force password changes, force stronger passwords, etc. We have set things up this way on the login server password policy screens, but the changes in policy don't seem to be working. (Users with passwords that are identical to their userids are not forced to change their passwords.) Any suggestions?

  There is only if there is more than one resource but selecting which resource to change the password on is not the issue. The problem is if I select the check box, indicating that I want to change the password on the resource, the resource password policy is enforced when generating the password, not the user's assigned password policy.
  Maybe I'm not describing it well enough. It is a tad complex. Here's the steps I took to get into this situation.
  1) Create an low strength password policy
  2) Assign the low strength password policy to the resource under the "Identity System Parameters" for the resource. This should enforce a minimum level of password strength for the given resource.
  3) Create a high strength password policy.
  4) Create an account policy and link the high strength password policy to the account policy.
  5) Edit a user and select the "Assignments Tab".
  6) Assign the account policy (with the high strength password policy) to the user.
  7) Reset the user's password in the admin interface selecting the resource's checkbox.
  8) The password generated by IDM is based on the low strength resource password policy, not the high strength policy assigned to the user.
  So in theory now, the user has an account policy that in turn has a password policy that is stronger than the resources enforced password policy. The problem is when I reset the user's password (selecting the resource to reset the password on) the user's assigned policy is not used when generating the password. I don't know and can't tell if this is standard behaviour.
  Ideally I'd like to figure out a way to force IDM to use the user's assigned policy rather than the resource policy when generating the password.
  In all other cases I'm able to manually ensure that the password passes the user's assigned policy. It is only in the case of a password reset where it is not possible to do so. So... I'm looking for work-arounds.

• Why did I randomly signed out and said "Password c...

  I was just messaging my friends on Skype, randomly kicked me out and said "Password changed, log in new password"
  I was like what the hell? I didnt change anything. I tried logging back in, didn't work. I tried resetting it, it also didn't work, says contact support or somthing. I really need this account back. Am I hacked or somthing?

  Yes, Same Problem!
  I just did the unlink skype account from microsoft account.
  (DID I EVER DO THIS??? OR DID SKYPE?????)
  I'm still logged in, so that might have worked.  
  The following is a flame to SKYPE:
  This started happening to me at a very very akward time (like just before an imporatant call)
  YOUR error message to me was to update.
  I updated.
  Your next error message to me included this Unlink to microsoft account.
  Obviously not my problem cause I didn't link them . . . . and my primary microsoft account is a different email address (firstname.lastname)
  Why not have the error message APOLOGIZE to me for perhaps doing this.  

• Account password changed

  Hi My account on skype tech271 has been hacked and the password changed on it on trying to reset it it turns out the email address i used has also had its password changed so cant get into it either the secondry address set up in windows Ive never seen before , I have never purchased skype credit or used it to call  so I couldnt reset it .
  Is there any other way I can get this account back I have hundreds of contacts and groups on it for online gaming and losing it will be a pain ,I can supply names of cotacts and groups that have been used lately on it if this would help
  Davy

  No one has access to it- as far as the internet goes..I don't do any type of sharing so I can't or don't know of any other way anyone would be able to access it.
  Thank you. Same thing just happened to the admin account as the other account. The password had been changed. I have not done anything and no one has physical access to the computer so I am very confused as to how both my admin and regular account passwords were changed in the same day/time frame. Prior to the regular account password not working, the admin. one was working fine. Then I fixed the regular account password by changing it through the admin. account. Then I go back to the admin account and it won't accept the same password it just did! I was able to recover it with the master password and it's working now....but I am still in a state of confusion.

• Windows 7 Expired Password - Recvd Warning prompts but not forced to change password

  Our Windows 7 users are prompted when their passwords will expire in 14 Days, however They are not forced to change thier password before it expires. If the users ignore the expiration warning they can only get logged into the network after having the helpdesk
  reset thier password.
  Is there a way to force Windows 7 users to change thier passwords on the day it expires. Our WinXP users get the 14 day warning and are forced to change thier passwords on day 14.
  I have the GPO configured to notifiy users when thier passwords will expire in 14 days
  Thank you,
  Glen

  Hi,
  After applying above settings, the user can change the password by default at the expire day. Please create a new domain profile and test the issue on several Windows
  7 machines. Can the user be enforced to change password at expire day? If not, please refer to the following steps to collect the information for research.
  1. On the DC, open GPMC, right-click Group Policy Results, choose Group Policy Results Wizard, follow the wizard to collect a Group Policy result for problematic
  Windows 7 client.
  2. On the Windows 7 machine where GPO failed to apply, please perform the following steps to collect log files:
  a) Please add the specified registry key to enable group policy log (%windir%\debug\usermode\gpsvc.log), and remove or rename it to disable group policy log after
  collecting data. You may need to create the Diagnostics key if it is not there.
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Type: DWORD
  Value: GPSvcDebugLevel
  Data: 0x30002 (hexadecimal)
  b) Then on the problematic Win7 machine, run command “gpupdate /force”.
  c) Then on the problematic Win7 machine, run command “gpresult /v > gpr_win7.txt”, send me gpr_win7.txt file.
  d) On the problematic Win7 machine, run command “eventvwr”, then expand to Applications and service logs -> Microsoft -> windows -> groupPolicy
  -> Operational. Right-click on it and click “save event as”. Save the file as .evtx format and send it to me.
  e) After that, please send me the above output files. (please zip them first and then send them to me).
  - %windir%\debug\usermode\gpsvc.log
  - gpr_win7.txt
  - win7.evtx
  Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the GPMC
  result and the zip files, and then give us the download address.
  Thanks,
  Novak
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• Error when forced to change password

  Hello,
  We are running W7 Embedded Standard edition.  We have a unit where the user if forced to change their password but get the error message "configuration information could not be read from the domain controller, either because the machine is unavailable,
  or access has been denied".  It is a standalone PC.  To rebuild will require a huge effort. This is the only active account on the PC.  The Administrator and guest accounts are disabled.  Any suggestions on how to get around this ?

   If FBWF or EWF is in the image, disable them and the try changing the password. Also, make sure the user didn't attached the machine to a domain.
  Changing local account policy so passwords never time out. You can create a custom security policy template that installs with the OS that disables password timeout.
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• I loaded what I guess is the new version of Firefox and it completely changed my whole task bar. I don't have my Norton Logins with stored passwords, and it's hard to find my favorites. Help get it back to how it was.

  I loaded what I guess is the new version of Firefox and it completely changed my whole task bar. I don't have my Norton Logins with stored passwords, and it's hard to find my favorites. Help get it back to how it was.

  Credit Tony E
  To downgrade to Firefox 3.6 first uninstall Firefox 4, but do not select the option to "Remove my Firefox personal data". If you select that option it will delete your bookmarks, passwords and other user data. See https://support.mozilla.com/kb/Uninstalling+Firefox
  You can then install the latest version of Firefox 3.6 available from http://www.mozilla.com/en-US/firefox/all-older.html - it will automatically use your current bookmarks, passwords etc.
  To avoid possible problems with downgrading, I recommend going to your profile folder and deleting the following files if they exist - extensions.cache, extensions.rdf, extensions.ini, extensions.sqlite and localstore.rdf. Deleting these files will force Firefox to rebuild the list of installed extensions, checking their compatibility, and reset toolbar customizations.
  For details of how to find your profile folder see https://support.mozilla.com/kb/Profiles