How do I change a windows password through asp?

Question

I have a web application that uses Integrated Windows Authentication to validate users. Most of them are remote and don't have access to a workstation to update their AD password.

Rather than manually managing passwords my self, I'd like to put together a script so they can change them on their own.

How would I update their windows password through ASP?

Answer 1

If you are going to offer this in a website, you should consider the security implications. A self-service password changing website is generally considered a major security risk and is not common.

You mention that your users are remote. If the site will be public, how will they authenticate through Integrated Authentication? They only way I know to make this possible is through VPN. Otherwise, they will have to use Basic Authentication to enter their username and password. This is very insecure, even over SSL.

Here are some recommendations:

• Secure the site using client certificates. If this is not possible use SSL at a minimum.
• I would strongly recommend that you implement the actual password-changing logic in a secure webservice. The ASP.NET page should call the webservice to request the change.
• You should store an audit trail of password changes. DO NOT store the passwords, just an event log of the user, time, and IP address.
• Test very thoroughly to ensure that the integrated security is recognizing your users properly. Make sure that users cannot accidentally change other users' passwords.