Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Codeplex External Collaboration Toolkit for SharePoint problem

  Asked By: Ravi    Date: Feb 28    Category: Sharepoint    Views: 1237

I a solution I am trying to implement I am trying to use the External
Collaboration Toolkit for SharePoint from the Codeplex Community Kit
for SharePoint.

Once I worked through some issues with getting MS ADAM, Active
Directory Application Mode, to work properly with SSL it is working
fairly well with one exception. Users can not set their password. I
am getting an error returned that "The new password does not meet
password history or complexity requirements." I have tried using a
simple password to one that was randomly generated, 20 characters long
with mixed case, numbers and punctuation.

The admin function of reseting a users password works. It sets the
users password to a 9 character password with 2 non-alpha characters.

Since this solution is open source I have been able to dig through
it. I have not been able to find anywhere where the password
complexity is set so I am asuming that it is comming from ADAM but
what is confusion me is that the admin password reset works but the
user set password doesn't.

The differance in the two is that the admin reset password first calls
GeneratePassword method of an object that looks to be an
System.Web.Security.Membership object and then calls the Invoke method
on a Directory Entry object for the user with the
paramiters "SetPassword" and the password in an array of Object. The
user set password just calls the Invoke method on a Directory Entry
object for the user with the paramiters "ChangePassword" and the Old
and New passwords in an array of Object.

Has anyone else run into this and figured out how to fix it?



1 Answer Found

Answer #1    Answered By: Santana Osborn     Answered On: Feb 28

So after a support case  with Microsoft I have gotten to the bottom of my
issue. The password  policy for the Active Directory domain that the
server with ADAM installed is in had been recently changed to require a
minimum password age of 7 days.

The code of this solution  uses the Invoke method  on the DirectoryEntry
object for the user. For the admin  function of reset  password it
invokes "SetPassword" and for the user  password change it invokes
"ChangePassword". The "SetPassword" requires elevated privileges on the
DirectoryEntry object  and only takes a single paramater of the new
password and is not subject to the password policy restrictions. The
"ChangePassword" can be called by the user and requires the original
password to be passed and is limited by the password policies.

When either "SetPassword" or "ChangePassword" are used the the password
change time stamp is updated so with the 7 day minimum password age I
can't use "ChangePassword" for 7 days after it has been set.

The password policies in ADAM are inherited from the machine that it is
installed on. If the machine it a stand alone machine or in a workgroup
you can set  the policies locally otherwise they are controlled by the
domain the machine is a part of.

This leaves you with 2 options.

This first is drastic and not what I would consider a real solution in
most cases. You disable the password policy inheritance either through
the ADAM ADSI Edit attaching to the Configuration container. In the
Config container expand the Services, Windows NT, Directory Service
object. On the Directory Service object right click and go to
properties. Find the attribute ADAMDisablePasswordPolicies and set its
value to 1. You can also use teh dsmgmt.exe command line tool. The
command line tool is a little odd to use. Here is a transcript of how
you would change the value through the dsmgmt.exe tool:

dsmgmt.exe: Configurable Settings
configurable setting: Connections
server connections: Connect to server localhost:389
Binding to localhost:389 ...
Connected to localhost:389 using credentials of locally logged on user.
server connections: quit
configurable setting: Set ADAMDisablePasswordPolicies to 1
configurable setting: quit
dsmgmt.exe: quit

At this point restart the instance of ADAM and none of the password
policies will be enforced.

The second option is to change the password policies on the server where
ADAM is installed. If it is a stand alone machine or in a workgroup
that is easy just go into Local Security Policy editor and chnge the
policy. If it is part of the domain you will have create a new OU and
place the machine into it then define a new password policy for the
machines in that OU.