Expired password

Similar Messages

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• Which attribute shows if a user has an expired password?

  DSEE 6.3
  I created my own password policy, and applied it to a single user.
  I would like to know which attribute shows if a user has an expired password, and how do I query that attribute for the user. How would I query the time till expiration as well?
  I am basically looking for example queries to such information.
  thanks,

  My limited experience with this sort of thing is to run a query like the following:
  ldapsearch -1TL -h `hostname` -D 'cn=Directory Manager' -b "dc=<your dc>,dc=com" uid=<uid your choice> pwdAccountLockedTime pwdFailureTime pwdLastAuthTim
  e pwdChangedTime passwordRetryCount nscpentrywsi
  This dumps some helpful stuff. I've noticed ... in our ldap instance that a locked account has the following output:
  pwdAccountLockedTime: 000001010000Z
  I don't know why it shows up that way ... but it's something I can key on and search for to find locked accounts. Not necessarily an indication that a password has expired, of course, but sort of interesting to me. An account can be locked for other reasons obviously.
  I think pwdChangedTime might be what you want assuming you know what the password expiration time is set to ...

• SSH / Expired Passwords

  I've recently installed a batch of servers with Solaris 10 10/08 and have noticed that the way the Solaris sshd implementation deals with password change on login is different to previous versions of Solaris SSH and/or OpenSSH installed in out environment.
  When the user with expired password logs in, he is prompted for a new password. If this password does not meet the complexity standards set for user passwords, the user is then prompted for their original password again instead of being asked to add a valid new password. This has led to a lot of users locking out their accounts because they keep trying to put in the new password
  The session output looks like this
  ssh -l user serverPassword: <-Enter Existing Password Here
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new password that does not meet password standards
  sshd-kbdint: The password must contain at least 1 uppercase alpha character(s).
  Password: <- System requests exising password again
  Warning: Your password has expired, please change it now.
  New Password: <-Enter new valid password
  Re-enter new Password: <-Re-enter new valid password
  sshd-kbdint: password successfully changed for user
  Any idea why this may be happening?
  Thanks.
  K

  Can you use ssh keys instead? This would allow using your own pass phrase associated with the key you create.
  ssh-keygen -t rsa
  Now copy the *$HOME/.ssh/id_rsa.pub* file to each site and append the *id_rsa.pub* file to the remote account's *.ssh/authorized_keys* file (repeat the copy and append 29 more times).
  Now you should be able to connect based on your ssh key and no longer need to enter the long convoluted password. Instead you just need to enter your own selected ssh key pass phrase.
  And you can use *ssh-add* after starting your Mac to add your pass phrase to the ssh-agent already running in the background. Once you do this, ssh will ask the ssh-agent before prompting you for a pass phrase it already knows.
  This should totally streamline your ssh and scp access to the 30 remote sites.

• Cisco ISE - User with expired password is forced to logoff before they can change password.

  I came across a situation today where a user was logged into a laptop with an expired password and could not change it by simply locking the computer and logging in with the correct credentials. (They had previously changed it on their main computer) The port restricted any communication since the user was failing authentication.
  So, the I had the user logout and immediately the computer authenticated, and the user was able to login with the correct credentials.   I dont want my users to have to logout completely in this situation.  Below is the port config and the ISE error messages.
   switchport access vlan 423
   switchport mode access
   switchport block unicast
   switchport voice vlan 425
   ip arp inspection limit rate 10
   ip access-group ACL-LOW-IMPACT-MODE in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity server
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   dot1x pae authenticator
   dot1x timeout tx-period 3600
   spanning-tree portfast
   spanning-tree bpduguard enable
   ip dhcp snooping limit rate 100

  Completely forgot about odac version. I have ODT with ODAC 102.02 installed.
  I want to download new drivers from here:
  Oracle10g Release 2 ODAC and Oracle Developer Tools for Visual Studio .NET
  http://download.oracle.com/otn/other/ole-oo4o/ODTwithODAC1020221.exe
  And old drivers from here (just for testing)
  Oracle Developer Tools for Visual Studio .NET 10.1.0.4.0
  http://download.oracle.com/otn/other/ODT10104.exe
  Does anybody know something about these releases? Do they have the same behavior?
  Thanks.

• 802.1X cannot change expired password at login

  Hi all,
  I'm trying to roll out 802.1X authentication for wifi access at my company, however there's one major problem I can't for the life of me figure out. I'm not able to get the Macs to prompt for a password change when the password has expired at login.
  On Windows when you log in it will prompt you to change your password when it's expired. However on OSX when you're on the workstation login screen, you can see the wireless icon briefly connect, then it will think for a bit and the user cannot log in at all.
  OSX can definitely can change expired passwords via 802.1X, as if I log into a local account and connect to the wifi with the user whose password has expired, it will prompt to change it, and changes it successfully.
  I'm using NPS for RADIUS authentication against AD, and using Profile Manager in OSX Server to create the 802.1X profile.
  Does anyone have any experience with OSX and using WPA Enterprise/802.1X Profiles?
  Thanks!

  Hi,
  Can you post a screenshot for this situation?
  Sometimes, the third party credential provider would lead to some issue like this, I suggest you check the
   current credential provider via the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\x\LastLoggedOnProvider
  You should compare the result with the values in the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\credential providers
  If the current value is third party credential provider, try to disable it:
  To disable the provider add a REG_DWORD value "Disabled"=1 to that provider’s CLSID subkey.
  The provider will be disabled on the next session creation (sessions are created when you log off, switch users, or reboot.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Changing expired password on a cbckend database from a frontend database

  I have a split database with an Oracle backend (BE) and MS Access frontend (FE). My question is how to reset an expired password on the BE from the FE.
  If I log on to the backend via sqlplus an error ORA-28001 (Password expired) occurs and the system immediately prompts for a new password before completing the login process.
  If I log on from the frontend I get the same ORA error from the BE, but as far as I can tell, I can't reset the password from the FE.
  I can capture the error fine at the FE and I am thinking that I could use this to open a dialog to reset the password and change it over the ODBC connection. The problem is that I need to get a connection to the BE database before sending a command to change the password from the FE, but since login cannot be completed from the FE, because of the expired password, I can't get an ALTER USER statement to execute on the BE to reset the password.
  Is there a way to change a pre-expired password on an Oracle backend database from a frontend database? I don't see this as an Oracle/Access problem but as a problem that exists for any split database.

  I have thought about this a little and I am thinking about keeping a table of password update information. I can use this to create a "soft" expired password, using an expiration date in the table for each account. If the password is expired by the database then we can just update it with sqlplus or one of the other options.
  As far as getting the organization to change it is waaaay to big and stupid to change their policy.

• Simple Interface expired password change prompt

  We have a population of users who access GW exclusively through WebAcc. Some of this population has jumped on the mobile device bandwagon and so we've directed them to the simple interface when accessing GW from a mobile device.
  Some of these mobile device users now exclusively use the simple interface on their tablet/phone to access GW and when their password is expired, are never presented with the password change dialogue.
  Ive verified when user with an expired password navigates directly to the simple interface url , https://gwserver/gw/webacc?User.interface=simple, either on a mobile device or desktop browser, IE, FF, Chrome, the user consumes a grace login and is taken directly to the simple interface mailbox.
  Resetting grace logins and navigating to the standard webacc interface the GW password change dialogue is presented as expected.
  GroupWise 8.0.1 webacc on netware. I think wed refrained from going to newer releases in fear of some nasty bugs in the subsequent versions, but Ive not kept current on issues with the latest release.
  I understand the next GW version with native mobile device templates is around the corner, but management may want to address this sooner.
  Is this failure to recognize password expiry in the simple interface a know behavior?
  Regards,
  Fdiaz

  On 8/8/2011 8:36 AM, vodobaas wrote:
  > We have a population of users who access GW exclusively through WebAcc.
  > Some of this population has jumped on the mobile device bandwagon and so
  > we've directed them to the simple interface when accessing GW from a
  > mobile device.
  > Some of these mobile device users now exclusively use the simple
  > interface on their tablet/phone to access GW and when their password is
  > expired, are never presented with the password change dialogue.
  >
  > Ive verified when user with an expired password navigates directly to
  > the simple interface url ,
  > https://gwserver/gw/webacc?User.interface=simple, either on a mobile
  > device or desktop browser, IE, FF, Chrome, the user consumes a grace
  > login and is taken directly to the simple interface mailbox.
  > Resetting grace logins and navigating to the standard webacc interface
  > the GW password change dialogue is presented as expected.
  > GroupWise 8.0.1 webacc on netware. I think wed refrained from going to
  > newer releases in fear of some nasty bugs in the subsequent versions,
  > but Ive not kept current on issues with the latest release.
  > I understand the next GW version with native mobile device templates is
  > around the corner, but management may want to address this sooner.
  >
  > Is this failure to recognize password expiry in the simple interface a
  > know behavior?
  >
  > Regards,
  > Fdiaz
  I'll ask.

• Changing expired password with OCIPasswordChange

  I know that ODP.NET has a option to open a connection with a new password when the old one has expired. I'm using System.Data.OracleClient from .Net instead of ODP because I'm using the Instant Client, which does not seem to work with ODP. Can somebody tell me how to call OCIPasswordChange?

  Hi,
  OCIPasswordChange is an OCI call. You'd have to write a complete OCI application in C to be able to use that, and OCI coding isnt for the faint of heart.
  I do have a complete OCI sample that does it though.. here you go.
  Cheers,
  Greg
  This sample demonstrates the use of OCIPasswordChange once the
  password has expired, which requires setting the session into
  the service context. Tested with oci 8.1.5, vc++ 6.0 sp3.
  first create the user with expired password:
  SQL> create user testuser identified by oldpass password expire;
  SQL> grant create session to testuser;
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <oci.h>
  static OCIEnv          *p_env;
  static OCIError          *p_err;
  static OCIServer *p_srv;
  static OCISession *p_ses;
  static OCISvcCtx     *p_svc;
  void main()
       int          rc;
       char     errbuf[100];
       int          errcode;
       // Step 1: Initialize OCI
       rc = OCIInitialize((ub4) OCI_DEFAULT, (dvoid *)0,
            (dvoid * (*)(dvoid *, size_t)) 0,
            (dvoid * (*)(dvoid *, dvoid *, size_t))0,
            (void (*)(dvoid *, dvoid *)) 0 );
       // Step 2: Initialize the OCI evironment
       rc = OCIEnvInit( (OCIEnv **) &p_env, OCI_DEFAULT, (size_t) 0, (dvoid **) 0 );
       // Step 3: Initialize the OCI handles
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_err, OCI_HTYPE_ERROR,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_svc, OCI_HTYPE_SVCCTX,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc( (dvoid *) p_env, (dvoid **) &p_srv, OCI_HTYPE_SERVER,
            (size_t) 0, (dvoid **) 0);
       rc = OCIHandleAlloc((dvoid *) p_env, (dvoid **)&p_ses, (ub4) OCI_HTYPE_SESSION,
            (size_t) 0, (dvoid **) 0);
       // Step 4: Connect using a mutli-session connect
       rc = OCIServerAttach( p_srv, p_err,
            (text *)"local", 5, 0);
       // Create a server context
       rc = OCIAttrSet( (dvoid *) p_svc, OCI_HTYPE_SVCCTX,
            (dvoid *)p_srv, (ub4) 0,
            (ub4) OCI_ATTR_SERVER, (OCIError *) p_err);
       // Create a session context
       rc = OCIAttrSet((dvoid *) p_ses, (ub4) OCI_HTYPE_SESSION,
            (dvoid *) "testuser", (ub4) 8,
            (ub4) OCI_ATTR_USERNAME, p_err);
       rc = OCIAttrSet((dvoid *) p_ses, (ub4) OCI_HTYPE_SESSION,
            (dvoid *) "oldpass", (ub4) 7,
            (ub4) OCI_ATTR_PASSWORD, p_err);
       rc = OCIAttrSet((dvoid *) p_svc, (ub4) OCI_HTYPE_SVCCTX,
            (dvoid *) p_ses, (ub4) 0,
            (ub4) OCI_ATTR_SESSION, p_err);
       // Open the session on the server
       rc = OCISessionBegin ( p_svc, p_err, p_ses, OCI_CRED_RDBMS,
            (ub4) OCI_DEFAULT);
       // This is a generic error checking routine
       if (rc != 0)
            OCIErrorGet((dvoid *)p_err, (ub4) 1, (text *) NULL, &errcode,
                 (text*)errbuf, (ub4) sizeof(errbuf), OCI_HTYPE_ERROR);
            printf("Error - %.*s\n", 512, errbuf);
            // If the error is a 28001, change the password.
            if(errcode==28001)
                 // You need to set the Session into the service context
                 // before you can call OCIPasswordChange(), and you also need
                 // to allocate both the session and service context handles
                 // before hand. Then you can call OCIPasswordChange.
                 rc = OCIAttrSet((dvoid *)p_svc, OCI_HTYPE_SVCCTX,
                      (dvoid *)p_ses,0,OCI_ATTR_SESSION, p_err);
                 rc = OCIPasswordChange(p_svc, p_err, "testuser",8,
                      "oldpass",7, "newpass",8, OCI_DEFAULT);
                 if(rc != 0) printf("Password change failed.\n");
                 else printf("Password successfully changed.\n");
       // Step 10: Disconnect from the server and free the
       rc = OCIServerDetach( p_srv, p_err, OCI_DEFAULT );
       rc = OCIHandleFree((dvoid *) p_srv, OCI_HTYPE_SERVER);
       rc = OCIHandleFree((dvoid *) p_svc, OCI_HTYPE_SVCCTX);
       rc = OCIHandleFree((dvoid *) p_err, OCI_HTYPE_ERROR);
       printf("Disconnected.\n\n");
       return;
  }

• Change expired password using oracle jdbc thin driver

  Hello,
  I have a java program that uses the oracle jdbc thin driver (ojdbc6 - version 11.2.0.3) for database connection. My question is if I have any possibility to change an expired password (java.sql.SQLException: ORA-28001: the password has expired) using the thin driver - NOT OCI?

  No - the thin driver doesn't have any password management features.

• Sybase expired password changed via JDBC ...

  hi,
  please help me in this matter : i can't figure out how to change an already expired password via Sybase JDBC implementation ( jConnect ).
  i read the postings about Oracle having passed a custom value for this kind of change but i just don't seem to find a similar Sybase approach.
  thank you very much,
  -ionut-

  I've never used Sybase, but here's a suggestion. I'm guessing you are already trying to call the sp_password stored procedure.
  Try to call it using con.executeQuery(). Something along the lines of
  con.executeQWuery("execute sp_password 'old','new';");
  A lot of drivers make extra database calls when you use prepareCall() and prepareStatement().

• Resetting expired password from JDBC

  Hi All,
  I would like to know if it is possible to change an expired password from a java client that uses JDBC (classes12.zip) "thin client" to connect to oracle database (8.1.7.4).
  Can we capture the "password expired" exception from the client and change the expired password from within the java client.
  The current connect string is --->
  Connection conn;
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  conn = DriverManager.getConnection("jdbc:oracle:thin:@host:port:sid",user,pass);
  Is it possible to do something like this ???
  try {
  conn = DriverManager.getConnection("jdbc:oracle:thin:@host:port:sid",user,pass);
  catch ( SQLException sqle ) {
  if ( sqle.getErrorCode() == 28001 ) // i.e. passwd expired
  //1. ask user to enter the new passwd &
  //2. change it in the database.
  Is there any other way of doing this ??
  Thanks in advance
  Arun

  I haven't tried this, but there some things to think about.
  1) Have you tried to capture the Exception? Is it a problem?
  2) Have you tried to alter a password through JDBC? Is it a problem? To execute other DDL you have to use executeUpdate() I would assum that if you can do this it will also require an executeUpdate().
  Now assuming #1 and #2 are OK
  3) How are you going to change a password when the you cannot connect because the password has expired? Are you going to hard code another non-expired userid/password in the code (bad idea). Are you going to ask the user to enter some type of administrative userid/password that will allow them to change their password?
  Just some thoughts, sorry I cannot help more...

• Changing expired password

  Is it possible to change expired password from JDBC 2.0?

  By JS page, I'm assuming you mean JSP (Javaserver Page?)
  The answer greatly depends on the middle-tier technology you are using.. For example straight JDBC, BC4J etc..
  If you give more info on your middle tier technology we could probably help out better..
  -Chris

• Resetting an Expired Password

  Hello All
  I am not sure if this is the right forum so please let me know if not.
  I currently have an ASP page that authenticates users against a Sun ONE LDAP server. The problem we seem to have is that when a users password expires, we cannot bind anymore. The easiest way for us to sort this would be to get the "Password has expired" return code but I cannot work out how to do this in ASP.
  Or is the problem deeper than this and once a password has expired a user cannot reset it? Do we need to change something else to allow a user to bind with their old password to reset their password. Remembering we are trying to do this all with asp.net.
  Thanks
  D

  I also am ignorant of asp.net; however, Sun DS 6 has several features that can help solve your problem if you can figure out how to access them:
  1. If you configure the "expiration warning" feature in the password policy, once a entry's password is in the warning period, an unsolicited "expiration warning" control is returned with each bind. The control data is the seconds until expiration. Password policy configuration is documented in http://docs.sun.com/app/docs/doc/820-2491/fhkrj?a=view . You can search for "OID 2.16.840.1.113730.3.4.5" on google for info about the control. You should also become familiar with the unsolicited password expired control "OID 2.16.840.1.113730.3.4.4". These controls are also implemented in DS5.
  2. If you supply the bind (or most other) operation with the IETF draft password policy request control, Sun DS 6.1 and later return a (properly encoded) password policy response control containing password policy operational state. Search for "OID 1.3.6.1.4.1.42.2.27.8.5.1"
  3. Your application can request the operational state of an entry via the user status control in Sun DS 6.1 and later. Search for "OID 1.3.6.1.4.1.42.2.27.9.5.8"
  4. If you have implemented some form of expiration warning, then presumably the majority of your users will have changed passwords before expiration, and you can force the others to go through some self-service or help-desk password reset function (i.e., enable must-change-on-reset, then administratively change the user's password, forcing him/her to change it at next bind).
  5. If you want to allow users with an expired password to access the DS solely for the purpose of changing the password, see http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdht?a=view#resetting-expired-passwords . If you do some more investigation on Sun DS (6.2 and later) implementation of the password modify extended operation (and ldappasswd), you should find details on enabling the extension to allow a user to change an expired password.
  6. You might also take a look at http://docs.sun.com/app/docs/doc/820-2490/6ne3cisoj?a=view#pwdpol for an overview of the new password policy implementation in DS6, compared to the DS5 password policy, and the strategy to migrate from DS5 to DS6.

• CFLDAP & Expired password

  Hi,
  We have recently implmented CFLDAP authentication on one of
  our websites & discovered a new issue of expired passwords.
  I have been trying to read attrubutes like maxPwdAge or
  accountExpires but not able to read the values as I guesss they are
  flags. What I found on net is that coldfusion is not capable to
  read ADSI & need to use java or vb object. Is that correct or
  is there any other method of checking the expired password &
  redirecting the page to change password form.
  Thanks in advance
  Any help is greatly appreciated
  Thanks

  alter user <username> identified by <new_password>;
  to make password unexpired:
  in the profile of the user--> alter profile <profile_name> LIMIT password_life_time UNLIMITED;
  *not recommended                                                                                                                                                                                                                                                                                                                                                                                                       

• Password reset is disabled.  Expired password does not cause reset prompt o

  Server: Oracle 11.2 on Linux Redhat 64-bit. Installed 32-bit 11.2 Oracle full client on Windows 7 64-bit workstation. Setting up user to test expired password promp capability of SQLDeveloper 3.0.0.4. So far, failing every time. Password Reset on menu is disabled. Loging in or testing in properties (Connection) simply fails with ORA-28001: the password has expired. Not sure how to proceed or enable password reset. FYI, connections only work for connection type of Basic and TNS if I disable OCI/thick driver. When enabled, I get "<oracle_home>\bin\ocijdbc11.dll Can't find dependent libraries"
  Not sure how to proceed. Need guidance and instruction or at least point me to documentation please. I'm not finding much on this issue.

  Thanks -K- for the response. I'll try that but it shouldn't be the cause of my issue. You see, a few weeks ago, I had SQLDeveloper installed on all our team's 32-bit Windows XP SP3 workstations. The reported issue was occurring then as well. Since then, the 64-bit Windows 7 workstations arrived and the saga continues:-)
  Any other thoughts on my issue is appreciated.