-3

I have set windows authentication and forms based authentication (FBA) in IIS for my web application. I added users to windows so they can login using the windows prompt. I set the checkbox to force them to change their password at the next login.

Now my windows users can't log in. I think it has something to do with the change password at next login. How can I setup iis or something to be redirected to change their initial password. I don't want them to have to use the generated passwords given to them for their initial login

user2320464
  • 759
  • 5
  • 14
Kyle Johnson
  • 97
  • 3
  • 1
    What? I don't understand this question. – joeqwerty May 28 '15 at 16:33
  • Check out AD Self Service Plus, it might be what your looking for. – Matt Bear May 28 '15 at 19:40
  • @joeqwerty - The question clearly states - How can I setup iis or something to be redirected to change their initial password. It's a AD user logged into a website that has Windows Auth setup. Reading is fundamental. – Kyle Johnson May 28 '15 at 20:31
  • Describing your problem clearly is fundamental. If this statement makes sense to you than you're a better person than me: `Now my windows users can login. I think it has something to do with the change password at next login. How can I setup iis or something to be redirected to change their initial password.` – joeqwerty May 28 '15 at 21:59
  • I assume a typo it should say `Now my windows users can NOT login`, only then the question makes sense – Peter Hahndorf May 29 '15 at 01:27
  • Edited to fix that. – Andrew Schulman Jun 01 '15 at 08:18

1 Answers1

1

For users with the "Change Password on Next Logon" set, you want to redirect their request so they can change their password.

Natively, Windows authentication in IIS doesn't allow for this functionality. Users will continue to be denied until their password is changed. You could modify the returned IIS error page with a link to the change password portal or just let your users know that if they can't login try changing their password.

One alternative is to create a custom IIS module which intercepts the request just before the auth process. More information about taking this approach can be found here however I'm 90% certain it will be too complex of a solution.

The recommended solution would be to use forms authentication. Then customize the logon process to identify this change password scenario and redirect the user to a change password screen. This provides the best user experience but also involves a lot of customization.

Finally, don't use Windows Authentication with Forms Authentication. Just choose one. Note that non-Windows clients won't be able to connect using Windows auth.

user2320464
  • 759
  • 5
  • 14