ADMT 3.2 - Force Password Migration

Similar Messages

• How to implement Force password change during authentication

  Description of problem
  Our client requires web applications to support its internal security policy beyond
  normal authentication. This includes:
  - force password change periodically. This should be performed at logon time.
  - maintain password history so that a new password would not repeat any of its
  previous 15 changes.
  We already have an authentication server that satisfy these requirements. However,
  we would also like to base our solution on WebLogic security framework so that
  we can leverage the benefit of the container-managed declarative security (e.g.
  we don't need to use our special cookie to check whether a user is authenticated
  for every web page in the application). So the best scenario for us is to wrap
  up this authentication server using WLS 7.0 authentication SSPI.
  My initial investigation of WLS 7.0 security framework (based on edocs and the
  sample customer security provider codes) convinced me that overall, this is achievable.
  However, I am still left with quite a few questions, which I would like to get
  your help.
  Questions:
  1. (web container) The J2EE-standard container-based authentication is to specify
  <login-config> element. My understanding is that only FORM based authentication
  is applicable. The specified form elements:
  <form method="post" action="j_security_check">
  <INPUT TYPE="TEXT" NAME="j_username">
  <INPUT TYPE= "password" NAME="j_password">
  </form>
  is adequate for authentication. However, if the authentication service provider
  indicates that password change is needed, what would be the most appropriate way
  within WebLogic for the authentication service provider to pass such a flag to
  the web container know so that our application can access it? I guess, a simpler
  question, would be, using the standard <login-config>, webapp knows only about
  authentication fails or succeeds. Can it possibly know more information provided
  by the authentication service provider right after authentication?
  2) If we don't use standard FORM-based authentication, we will code up our own
  authentication control, which could give us a lot more flexibility, but can we
  then bind our Subject obtained through our authentication control to the WebLogic
  Subject that is running the webapp.
  3) (Authentication service provider) Our design is for the custom LoginModule
  to delegate login calls to the authentication server, and throws more refined
  exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
  (all subclassed from LoginException). Another approach is to provide detailed
  information such as password expired in callbacks. Either way, when Authentication
  service provider returns, how our web application can access this refined flag
  of authentication result.
  4) Can our customer authentication service provider use DataSource defined in
  a weblogic server? I ask this question because DataSource itself is a protected
  resource of WebLogic. Will referencing it during authentication initiate another
  authentication cycle?
  Can anyone who has experienced similar requirements and worked solutions please
  give me a hint? I appreciate your guidance.
  regards
  Licheng

  "Licheng" == Licheng <[email protected]> writes:
  Licheng> Description of problem
  Licheng> Our client requires web applications to support its internal security policy beyond
  Licheng> normal authentication. This includes:
  Licheng> - force password change periodically. This should be performed at logon time.
  Licheng> - maintain password history so that a new password would not repeat any of its
  Licheng> previous 15 changes.
  Licheng> ..
  Licheng> We already have an authentication server that satisfy these requirements. However,
  Licheng> we would also like to base our solution on WebLogic security framework so that
  Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
  Licheng> we don't need to use our special cookie to check whether a user is authenticated
  Licheng> for every web page in the application). So the best scenario for us is to wrap
  Licheng> up this authentication server using WLS 7.0 authentication SSPI.
  I believe it's impractical to fit the requirement of forcing a password change
  into the standard JAAS interface.
  I think the only practical way to do this is to implement a servlet filter that
  reads the persistent record of the logged-in user to check for a "force change
  password flag". If it finds this, the servlet filter will forward to a page to
  change your password. Note that the servlet filter may be hit again when
  trying to get to the change password page, so it needs to know to not do the
  check in that case.
  If you implement this, I would strongly urge you to softcode the "change
  password" page URL in your system configuration, and not hardcode it in the
  servlet filter.
  ===================================================================
  David M. Karr ; Java/J2EE/XML/Unix/C++
  [email protected] ; SCJP; SCWCD

• ADFS 3.0 and force password change

  I was wondering if anyone knows if ADFS 3.0 supports the AD flag "Force password at first login"?  I know 2.0 does not. I have been integrating Shibboleth with my ADFS and a custom login handler but I would really like to not complicate my
  setup and use straight ADFS if at all possible.  Our ADFS setup would be for a SSO into our on-premise Sharepoint 2010 server. Even if 3.0 returns a error indicating that the password needs changed at least I can then tell the student that and direct
  them to our FIM server to have them register and set their password.  Any thoughts?
  Thanks
  Joe
  Joe M

  Brian,
  I understand that Azure Ad won't store password.  This is all on-premise servers, nothing in Azure.  I see that with ADFS 3.0, if the flag is set to change password at next logon, the user does get a different message than if they just typed a
  wrong password.  I guess what I am looking at doing is instead of them getting the message that their password is expired, redirect them to our FIM server so that they can register for self-service as well as set their new password.  If ADFS 2, the
  returned message was the same whether it was an expired password or a wrong password.  So ADFS 3 is nice in regards to that. Now it is just a matter of trying to take advantage of that.  I thought about maybe creating a relaying party trust to our
  FIM with a claim on that attribute but just not sure how to go about doing that at the moment.
  Joe M

• ADMT 3.2 Intraforest Computer Migration Group Membership

  Hello friends,
  I'm performing an Intraforest migration. I'm in the testing phase with Computer Migrations. The fact is that the computers belong to Universal Groups in the source domain and also in the target domain. Some of the groups are used to apply GPOs. Problem:
  when I do the migration from the source domain to the target domain, ADMT do not include the migrated computer to the same groups it was in the source domain. ADMT is able to include the migrated computer on groups that are not used for GPOs. Does somebody
  know why is this happening? What can I do in order to mantain the group membership of my computer?
  Thank you!

  Hi,
  Usually, it is recommended that we perform migration in the following steps:
  Group migration
  Users account migration
  Services account migration
  Security Translation
  Computers account migration
  To perform an intra-forest migration, the following article can be referred to as reference.
  Checklist: Performing an Intra-forest Migration
  http://technet.microsoft.com/en-us/library/cc974337(v=ws.10).aspx
  Best regards,
  Frank Shen

• Forced to migrate to Icloud and Lion?

  Why Apple customers accept being forced to migrate to Icloud and Lion (an OS with bad reviews) before the end of June when knowing that Mountain Lion will be available a few weeks later?

  For the reviews on the App Store, people who have problems are the one's most likely to post. Millions of people out there didn't give their opinion. Lion has some problems like every other previous OS that came out and it's getting better with each new release. As others pointed out, SL was no different. I've read posts on every system that came out about how bad it was and they wanted to go back to the previous version.
  For the loss of the MMe features, I can't do anything about that. I've never used MMe, but the only thing I see that's being lost is iDisk. Most unfortunate for those who use it, but surely it can be replaced. iCloud does provide other features that MMe didn't have.
  Other than iDisk, you can still keep your .me address with SL and continue to use it. You don't have to transfer to Lion. The .me is IMAP and will sync between all devices.
  For your question, I've never used iDisk personally. If you state exactly what your question and concerns are, someone else may have an answer.

• OAM - Force password reset - eDirectory

  I have a form based authentication scheme that uses eDirectory. Authentication is working. What I want to do is force all users to change their password upon next login. I set up a password policy and defined my Password Change Redirect URL and Password Expiry Warning Redirect URL but I'm not sure what to do to trigger the system to redirect the user to the password change piece after logging in. Is there some attribute in eDirectory I can set for each user to accomplish this? Any other ideas?

  Hi Scott,
  In order to apply password policies, OAM only reacts to attributes that belong to its own password policy class (oblixpersonpwdpolicy) - out of the box, OAM manages these attributes, eg storing the password history or the number of failed login attempts.
  For a forced password change, OAM looks to see if the value of the user's obpasswordchangeflag is set to "true", in which case it will apply the redirect for password change during the login process (OAM automatically updates this attribute when the user's password is changed via the WebPass by an admin). If you want this to be applied to every user, you could do some kind of bulk update of the attribute using an ldap utility.
  Regards,
  Colin

• Customer Password Migration Oracle ATG Commerce

  Hello,
  Is it possible to migrate all customer passwords from 9.1 to 10.1? If so, how is it accomplished?

  While upgrading to 10.1, if you have existing user profiles whose passwords were hashed with the older DigestPasswordHasher then those existing users will not be able to login because of mismatch in the new hash value and the old one. You would either have to force customers to change their passwords or revert to the old (pre-10.1) settings. To revert to the older settings, you can start your application with the md5 configuration layer. You can enable this configuration layer by including the -layer md5 flag to the runAssembler command while assembling your application.

• Best way to force password policy on users within 1-2 weeks?

  We have a Server 2008 R2 domain.
  I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 
  If so, that's not very flexible and will make things trickier for us.  
  And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User
  must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula:
  webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password
  age?
  spnewbie

  To add, the password policy is applied at the domain level and only works at the domain level. It's not the fact that it's at the "Computer Level" or "User Level" or not, it's the fact that it's only set at the domain level.
  Account policies (Password, Lockout and Kerb), are all under the Computer Config because it forces it to apply to all user accounts that access all machines.
  If you tried to create a password policy at any other level (any OU), it won't work. The only option is to use PSOs, as Mahdi pointed out.
  As for that Spiceworks thread, I would suggest to post a question about a specific product to the product vendor's support forum for accurate responses.
  Here's an excerpt from MOC 6425C Configuring and Troubleshooting Windows Server 2008 Active Directory, page 10-8 (and this applies to all versions of AD):
  Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called the Default Domain Policy that is linked to the domain and that includes
  the default policy settings for password, account lockout, and Kerberos policies. You can change the settings by editing the Default Domain Policy GPO.
  The best practice is to edit the Default Domain Policy GPO to specify the password policy settings for your organization. You should also use the Default Domain Policy GPO to specify account lockout policies and Kerberos policies. Do not use the Default
  Domain Policy GPO to deploy any other custom policy settings. In other words, the Default Domain Policy GPO only defines the password, account lockout, and Kerberos policies for the domain. Additionally, do not define password, account lockout, or Kerberos
  policies for the domain in any other GPO.
  The password settings configured in the Default Domain Policy affect all user accounts in the domain. The settings can be overridden, however, by the password-related properties of the individual user accounts. On the Account tab of a user's Properties dialog
  box, you can specify settings such as Password Never Expires or Store Passwords Using Reversible Encryption. For example, if five users have an application that requires direct access to their passwords, you can configure the accounts for those users to store
  their passwords by using reversible encryption.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Force password reset

  Hello,
  is it possible to force a user to reset/change their password the next time they log into the site?
  Thanks in advance.
  Mike.

  I just copied this code and created a plugin locally and it worked for me ... however this code only runs for B2B customers so if you are testing as manager it won't do anything.
  The line
  if (act.AccountType == "B")
  means to only execute the inner code if the customer is B2B, if you wanted to change it to B2B or B2C then use this
  if (act.AccountType == "B" || act.AccountType == "C")
  If you need this to run for internal users like manager then use "I" for the account type. If you want it to run for everyone then remove the "if" statement altogether along with the enclosing brackets.
  I mentioned this before but if you are running this as a plugin then you need to add code so you don't get into an infinite loop so change
  if (!IsPostBack)
  to
  if (!IsPostBack && System.Web.VirtualPathUtility.GetFileName(bp.Request.Path) != "changepassword.aspx")
  so the code execute on all pages except the changepassword page.
  Here's the full code that I am using
  void Page_Load(object sender, System.EventArgs e){
          NPBasePage bp = (NPBasePage)Page;
          if (!IsPostBack && System.Web.VirtualPathUtility.GetFileName(bp.Request.Path) != "changepassword.aspx")
              NPAccount act = new NPAccount(bp.AccountID);
              if (act.AccountType == "B" || act.AccountType == "C")
                  NPUser usr = new NPUser(bp.UserID);
                  if (usr.LastPasswordChangeDate == DateTime.MinValue)
                      bp.Response.Redirect("~/common/user/changepassword.aspx");

• Challenge question and password migration from oimm 10g to 11g r2

  hi all,
  can you please tell me how do i do the migration of oim 10g user's password and challenge questions to oim 11g r2. Do we have any api to do it. these values are in encrypted format in oim db.
  thanks

  Run your sql query to output the encrypted fields to a flatfile or csv, and include the usr_login field so you know which user to assign the values to.
  Copy your config folder from your oim server and create a patch like c:\xellerate\config. In your code, when you connect to OIM, use this:
  System.setProperty("XL.HomeDir", "c:/xellerate");
  System.setProperty("java.security.auth.login.config", "c:/xellerate/config/authwl.conf");
  Now, when you read the file and have the encrypted field, use this code:
  String decryptValue= tcCryptoUtil.decrypt(encryptValue, "DBSecretKey");
  Now that you have the unencrypted value from your 9x instance, you can use the APIs to set challenge questions, and set user passwords with the 11g APIs.
  -Kevin

• Force password on system wakeup but not on display wakeup

  Hi everybody,
  is it possible to disable the necessary of a password when the display times out but force a password if the lid is closed and opened up again?
  I've found the possibility to set a timeout for both of them coupled in Lion. But I want the system never to ask a password when the screen goes to sleep but always ask a password when the lid is closed and opened up again.
  Thanks in advance for your help.

  Ramonekalsaw
  I just wanted to inform you that I went to my local Apple Store and the technical staff told me the keychain issue should to be looked at by them and to bring in iMac to figure out this issue. It should not be figured out by yourself as it could be a critical security problem.
  Pashue

• Forcing password change

  Is there a mechanism to force a user to change their password after xx days?

  Hi Venky,
  Yes we are setting the pwdMustChange attribute in OID:
  1) Login to oidadmin.
  2) Go to Password Management Policy
  3) Select Enable from Reset Password upon next time.
  Would be great if you can help with this
  TIA
  Greg

• Forcing Password Changes

  I've got some scenarios I've been asked to research regarding expiring passwords and preventing account lockouts. We are on Windows 7.
  If a user is logged in while their password expires, is it possible to force a prompt to have them change their password before they log out.
  If a user's screen is locked while their password expires, is it possible to set a password change prompt when they attempt to unlock?
  I guess the theme is how can password changes be forced before a user can get locked out after password expiration???
  Thanks,
  Matt

  The only thing you can change is the notification about how many days it is before the password expires.
  http://technet.microsoft.com/en-us/library/ee829687(v=ws.10).aspx

• How to force password policy requirements on password resets for user accounts reset by the Administrator?

  OS: Windows Server 2008 R2 Enterprise
  Domain Level: 2008
  Forest Level: 2000
  We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
  and can reset a password for a user account to be blank. 
  Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins? 

  Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• Creative Cloud Mac app says "Your Home Feed Is Empty" after forced password reset

  After resetting my CC password, the CC app on my Mac says "Your Home Feed Is Empty" except I already have Ps, In, Ai and Acrobat XI installed.  It looks like I have to download them all again, is this the case?  Have quit out of the CC app, restarted Mac etc, no change.
  Hope you can help.

  In case that was ambiguous, Ps, Ai, In etc are all running fine, and were installed through the CC app before the password reset.  So to get updates through the CC app, do I need to download themm all again?