In yesterday’s post we looked at an issue with the IIS 7 architecture where Windows and Basic authentication fail when the “User must change password at next logon” flag is set for an Active Directory user. Microsoft engineered IIS 7 to deny access to users who have this flag set. This change from previous versions of IIS causes problems when you want to use tools like IISADMPWD to allow web application users to change their Active Directory password.
Web Active Directory looked at this situation and created a solution that allows you to bypass the issue in IIS 7. Understanding that the problem stems from the fact that IIS 7 denies access to users who need to change their password at the next logon, we took an approach to use Anonymous authentication in IIS and avoid the denial issue.
The small web application we produced provides a logon screen and then checks the status of the “User must change password at next logon” flag before performing authentication against Active Directory. This allows you to provide a customizable logon form with instructions and your own branding instead of using the default browser pop-up dialog.
Best of all, if the user needs to change her password you can route the web application to the IISADMPWD replacement web app we also created. If the user does not have to change her password and the credentials check out, the application passes the authentication credentials down the way and everything proceeds as normal.
Contact Web Active Directory for more information about this solution and the IISADMPWD replacement tool for IIS 7.