Active directory errors when checking login credentials in classic ASP

1
votes

I have an intranet where I have our users login with their AD credentials.

I thought I had everything trapped pretty well but this morning users were reporting that they couldn't login.

They were getting the following error, -2147023688

Active Directory error '800704b8' 

An extended error has occurred.  

/login/index.asp, line 26

Seems like it's related to passwords expiring.

I thought I had that covered with error -2147022989 which explicitly states that the password has expired at which point I redirect the user to a password change screen where they can update it via ASP.

Is there anyway to get more info on the extended error or is there list of numerical errors and their corresponding descriptions?

Or even better, should I just ignore this error completely, allow them to login and they'll just change their password the next time they login to their PCs?

Thanks.

1
asp-classicactive-directory
I don't think IIS will allow a user to change their AD password. It's too many layers removed, if that makes sense. If you want to use AD to handle website security, you must set the passwords to never expire. (Expiring passwords is a bunch of hogwash, anyway.) - Martha

1 Answers

0
votes

Martha is incorrect. Your code can in fact change user passwords if it has the necessary permissions to do so. Your site will need to be running as a user account within AD. You did not mention which version of IIS you are using so it's impossible to give you specific instructions on how to configure your site.

That said, granting your site permissions to modify user passwords is a security risk you should weigh against the necessity of your site to make these sorts of changes. If your site were to be compromised, the attacker would be able to execute commands in the same security context as your site. So the attacker could potentially reset passwords for users and login as them and use this to escalate their attack.

You will have decide if the convenience offered by your code and the potential security risks are worth the reward.