Can not login with UPN.

[svhsvh]

PassCore Server

• OS: [Windows ]
• Provider: [Active Directory ]

Describe the bug
Our users are used to login with their UPN, but they are not able to login with their UPN. If they try passcore returns: "Please enter a valid username", like you can see in the image below:

Screenshots

I hope someone knows the solution to our problem or is able to help us, thanks in advance.

[diogenes25]

The identity is searched by default over the "cn". If you want to find the identity through the UPN, you can change line 26 in File PasswordChangeProvider.cs as followed.

 public ApiErrorItem PerformPasswordChange(string username, string currentPassword, string newPassword)
        {
            // perform the password change
            try
            {
                using (var principalContext = AcquirePrincipalContext())
                {
                   // ########## Replace this line ... ##################
                   //  var userPrincipal = UserPrincipal.FindByIdentity(principalContext, username);
                   //  ####### with this line !!! Set ItenditityType to: IdentityType.UserPrincipalName #####
                    var userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.UserPrincipalName, username);

            .....

[svhsvh]

Thanks, where is that file located? because I'm unable to locate it.

[diogenes25]

Here: passcore/src/Unosquare.PassCore.PasswordProvider/PasswordChangeProvider.cs Line: 26

[svhsvh]

But that is the source code right? Because that file is not present on my passcore installation.

[diogenes25]

Yes it is.
You must change it the "hard way" (with compile and all the stuff)
We had a similar Problem here #204.
Maybe we should put a switch in appsettings.json that defines how a user is found (Distinguished Name (DN), Globally Unique Identifier (GUID), Security Account Manager (SAM), Security Identifier (SID) or User Principal Name (UPN)).

[geoperez]

I like your idea.

[svhsvh]

Thanks for your answer. Yes that would be nice!

[geoperez]

@svhsvh you can download the current master code or wait for the release probably by Friday.

[svhsvh]

Thanks! I will wait until the release.

[svhsvh]

Just a quick question, where can I find it when this will be released?

[geoperez]

Sorry guys, I've been busy but probably today I'll release it.

[geoperez]

@svhsvh I created a published version from my current branch. Including:

• The PR to define DC Attrbibute by @diogenes25
• New appsettings format
• Logging improved.

PassCore35.zip

Let me know if it's working for you. I'll wait feedback before to publish a release.

[MAP74]

This version works with UPN.
But it fails when user has to change password at next logon.
Error message: You are not allowed to change your password. Please contact your system administrator.

The only version if found where this works ouf of the box is v3.1

[geoperez]

Are you sure about that? Because the Change Password Provider from 3.1 is pretty much the same code as this version. The only important change is the ability to change the DC attribute to search the user.

There are no changes in how the password is changed.

[svhsvh]

@svhsvh I created a published version from my current branch. Including:

• The PR to define DC Attrbibute by @diogenes25
• New appsettings format
• Logging improved.

PassCore35.zip

Let me know if it's working for you. I'll wait feedback before to publish a release.

Thanks, I will test it out and I will let it know you soon.

[svhsvh]

I'am not able to get PassCore35 working, I get the HTTP Error 502.5. I do not understand why because the stable release is working perfect and on the same server. And I have .NET Core 2.1.1 Windows Server Hosting bundle installed.

[geoperez]

Do you have a log file?

[svhsvh]

Unfortunately not. If I unpack a fresh copy of PassCore34 (stable release) and point the Physical Path in IIS to that directory it works. If I unpack a fresh copy of PassCore35.zip that you posted here and point the Physical Path in IIS to that directory it returns me the 502.5 error.
I assume that PassCore35 has the same dependancies as PassCore34, unless that isn't true I have no idea what I am doing wrong.
Do you have any idea what is wrong? Or could it be a fault in PassCore35?
Thanks in advance.

[MAP74]

Are you sure about that? Because the Change Password Provider from 3.1 is pretty much the same code as this version. The only important change is the ability to change the DC attribute to search the user.

There are no changes in how the password is changed.

Hi,

I did some test to be really sure.

Results below.

Thread that triggered me to try 3.1: #216

Test setup:

AD functional level: 2016
Passcore runs on:
OS: Windows Server 2016 (Member)
Provider: Active Directory
IIS: v10

Password-Policy:

Complexity: Enabled
History: Enabled
Max-Age: Enabled
Min-Age: Enabled
Min-Length: Enabled

Test-User:

Default domain user with "User must change password at next logon" enabled.

######################
Passcore versions tested:
######################

3.1.0

App-Pool IDs:	ApplicationPoolIdentity, Custom AppPool User with AD rights granted, NetworkService
Message-WebIf:	You have changed your password successfully.
		Please note it may take a few hours for your new password to reach all domain controllers.
Message-Logfi:	no usable error messages found
				(Loglevel:Debug)

3.2.0 (Upgrade to new ASP.NET Core 2.1)

App-Pool IDs:	ApplicationPoolIdentity, Custom AppPool User with AD rights granted, NetworkService
Message-WebIf:	You have changed your password successfully.
		Please note it may take a few hours for your new password to reach all domain controllers.
Message-Logfi:	no usable error messages found
				(Loglevel:Debug)

3.3.0

App-Pool IDs:	ApplicationPoolIdentity, Custom AppPool User with AD rights granted, NetworkService
Message-WebIf:	Access is denied.
Message-Logfi:	no usable error messages found
				(Loglevel:Debug)

3.4.2

App-Pool IDs:	ApplicationPoolIdentity, Custom AppPool User with AD rights granted, NetworkService
Message-WebIf:	Access is denied.
Message-Logfi:	no usable error messages found
				(Loglevel:Debug)

3.5.0

App-Pool IDs:	ApplicationPoolIdentity, Custom AppPool User with AD rights granted, NetworkService
Message-WebIf:	Failed to update password: Access is denied.
Message-Logfi:	info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  PerformPasswordChange for user mpxxx@xyz.com
		info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  PerformPasswordChange for user mpxxx@xyz.com
		warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  Using AutomaticContext
		warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  Using AutomaticContext	
		warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  The User principal password have no last password
		warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  The User principal password have no last password
				(Loglevel:Debug)

Changed default settings in all versions for this test:

appsettings.json
#########################################
"Logging": {
	"LogLevel": {
		"Default":   "Debug",
		"System":    "Debug",
		"Microsoft": "Debug" }
}

"AppSettings": {"DefaultDomain": "FQDN of our AD domain"}
	and
"AppSettings": {"DefaultDomain": ""}

web.config
#########################################
stdoutLogEnabled="true"

Current setup running without problems:

Right now I'm on v3.2 with AppPoolID "Network Service".

[geoperez]

@svhsvh Passcore350 has a different setting file, did you check that?

[geoperez]

@MAP74 wow! thank you for the information. Let me review again the changes between 320 and 330.

[diogenes25]

Are you sure about that? Because the Change Password Provider from 3.1 is pretty much the same code as this version. The only important change is the ability to change the DC attribute to search the user.

One little (maybe important) change is, that the UPN will be used to check the old password.

passcore/src/Unosquare.PassCore.PasswordProvider/PasswordChangeProvider.cs

Line 145 in ae814be

if (ValidateUserCredentials(userPrincipal.UserPrincipalName, currentPassword, principalContext) == false)

Maybe the UPN is not set in the DC?
Just an idea.

[geoperez]

I noticed a changed introduced after 3.2.0 to set the last password property, and I guess it may could affect. The following release includes a new setting named UpdateLastPassword (default value false). If the value is true will execute the last password check, otherwise, continue to password changing.

PassCore35.zip

For more information about the Last Password check, see issue #21.

[MAP74]

@geoperez The new 3.5 you provided does the trick. Changing passwords with option "User must change password at next logon" enabled is working again,

Log

Message-Logfi:	info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  PerformPasswordChange for user mpx@xyz.com
		info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  PerformPasswordChange for user mpx@xyz.com
		warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  Using AutomaticContext
		warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  Using AutomaticContext
		dbug: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  The User principal password updated with setPassword
		dbug: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
			  The User principal password updated with setPassword

Thank you.

Question

The PasswordMeter seems to use the classic complexity requirements to measure if your password is a strong one.

Passw0rd%
is considered a lot stronger than
this is an absolute insane long password if you have to type it in every time but easy to remember
Ironically it provides a link to https://xkpasswd.net/s/ where we are teached why classic passwords are unsafe and why long and easy to remember passwords with a high entropy should be preferred.

Is this something where the password meter can be improved?

[geoperez]

That's cool! Regarding the PasswordMeter, you are right, the current implementation is not right. But I'll target that issue in the following version. I want to release 3.5.0 now to fix the issues between 3.2.0 and 3.4.0.

Can you submit this like a new issue?