Password expired

Hello!
My users SQL passwords expires after 90 days and that's what I want.
The problem is that I want the user to be able to change their password when
this happends.
I developed a small application for this purpose, but I can't get it to
work.
There are an asp.net page with five textboxes: server, loginname,
oldpassword, newpassword, and confirmnewpassword.
First I'm trying to establish a sqlconnection with the server, loginname and
the oldpassword, but the row conn.open(); raises an error with: Reason: The
password of the account has expired
Well, I can understand why, but I don't understand how to solve this
solution.
The next row where ment to be ALTER LOGIN thename WITH PASSWORD = 'blabla2'
OLD_PASSWORD = 'blabla1', and this works when able to login, but in this
case I can't establish the connection.
How to solve this
Best Regards /MagnusMagnus,
To achieve this you should be using windows integrated authentication rather
than SQL, this would be the simplest way.
You could do this in SQL authentication as well but bit complicated, what
you should do is, your password changing application should use a dedicated
sql use account, that login should have all db_admin right. Use that login
to logon to sql server to change the password
Regards
VT
Knowledge is power, share it
http://oneplace4sql.blogspot.com/
"Magnus" <magnus.blomberg@.skanska.se> wrote in message
news:uNBOhw4lHHA.588@.TK2MSFTNGP06.phx.gbl...
> Hello!
> My users SQL passwords expires after 90 days and that's what I want.
> The problem is that I want the user to be able to change their password
> when this happends.
> I developed a small application for this purpose, but I can't get it to
> work.
> There are an asp.net page with five textboxes: server, loginname,
> oldpassword, newpassword, and confirmnewpassword.
> First I'm trying to establish a sqlconnection with the server, loginname
> and the oldpassword, but the row conn.open(); raises an error with:
> Reason: The password of the account has expired
> Well, I can understand why, but I don't understand how to solve this
> solution.
> The next row where ment to be ALTER LOGIN thename WITH PASSWORD =
> 'blabla2' OLD_PASSWORD = 'blabla1', and this works when able to login, but
> in this case I can't establish the connection.
> How to solve this
> Best Regards /Magnus
>
>|||Hi!
Thanks. Well, I know Windows Authentication is the prefered way, but in this
case, not!
Okay, so I setup an account that has access to change the password then. So
it's not possible to use the existing login to change the password? That
mean that password expired has the same impact as account locked out or
account disabled in this case?
Should I use sa or a dedicated?
Regards Magnus
"vt" <vinu.t.1976@.gmail.com> wrote in message
news:OqDR2S5lHHA.1216@.TK2MSFTNGP03.phx.gbl...
> Magnus,
> To achieve this you should be using windows integrated authentication
> rather than SQL, this would be the simplest way.
> You could do this in SQL authentication as well but bit complicated, what
> you should do is, your password changing application should use a
> dedicated sql use account, that login should have all db_admin right. Use
> that login to logon to sql server to change the password
>
> Regards
> VT
> Knowledge is power, share it
> http://oneplace4sql.blogspot.com/
>
>
>
>
> "Magnus" <magnus.blomberg@.skanska.se> wrote in message
> news:uNBOhw4lHHA.588@.TK2MSFTNGP06.phx.gbl...
>|||Personally I will not use sa, I would rather create a login that's only for
this purpose
Regards
VT
Knowledge is power, share it
http://oneplace4sql.blogspot.com/
"Magnus" <magnus.blomberg@.skanska.se> wrote in message
news:%23$hIvg5lHHA.4592@.TK2MSFTNGP05.phx.gbl...
> Hi!
> Thanks. Well, I know Windows Authentication is the prefered way, but in
> this case, not!
> Okay, so I setup an account that has access to change the password then.
> So it's not possible to use the existing login to change the password?
> That mean that password expired has the same impact as account locked out
> or account disabled in this case?
> Should I use sa or a dedicated?
> Regards Magnus
>
> "vt" <vinu.t.1976@.gmail.com> wrote in message
> news:OqDR2S5lHHA.1216@.TK2MSFTNGP03.phx.gbl...
>|||A user can change their own password as long as they change it before it
expires. If you let them change it after it expires, there would be no
point in having it expire would there? Once it expires, the dba will have
to change it for them. I suggest telling them to put a reminder in their
calendar to change the password a week or so before it expires.
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Magnus" <magnus.blomberg@.skanska.se> wrote in message
news:uNBOhw4lHHA.588@.TK2MSFTNGP06.phx.gbl...
> Hello!
> My users SQL passwords expires after 90 days and that's what I want.
> The problem is that I want the user to be able to change their password
> when this happends.
> I developed a small application for this purpose, but I can't get it to
> work.
> There are an asp.net page with five textboxes: server, loginname,
> oldpassword, newpassword, and confirmnewpassword.
> First I'm trying to establish a sqlconnection with the server, loginname
> and the oldpassword, but the row conn.open(); raises an error with:
> Reason: The password of the account has expired
> Well, I can understand why, but I don't understand how to solve this
> solution.
> The next row where ment to be ALTER LOGIN thename WITH PASSWORD =
> 'blabla2' OLD_PASSWORD = 'blabla1', and this works when able to login, but
> in this case I can't establish the connection.
> How to solve this
> Best Regards /Magnus
>
>|||[posted and mailed]
Magnus (magnus.blomberg@.skanska.se) writes:
> My users SQL passwords expires after 90 days and that's what I want. The
> problem is that I want the user to be able to change their password when
> this happends.
> I developed a small application for this purpose, but I can't get it to
> work.
> There are an asp.net page with five textboxes: server, loginname,
> oldpassword, newpassword, and confirmnewpassword.
Despite what Roger and vt says, this is indeed possible. You simply connect
to SQL Server and in the connect string you pass the new password in the
Password property. The old password you pass in the Old Password property.
For instance:
PROVIDER=SQLNCLI;Server=ThatServer;Datab
ase=ThatDatabase;UID=ThisUser;
Password=SprillansNytt;Old Password=Frrarets
Note that you must use the SQLNCLI provider, as SQLOLEDB does not support
the Old Password property.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx|||So passwords never really expire? Cool!
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Erland Sommarskog" <esquel@.sommarskog.se> wrote in message
news:Xns99339BA797939Yazorman@.127.0.0.1...
> [posted and mailed]
> Magnus (magnus.blomberg@.skanska.se) writes:
> Despite what Roger and vt says, this is indeed possible. You simply
> connect
> to SQL Server and in the connect string you pass the new password in the
> Password property. The old password you pass in the Old Password property.
> For instance:
> PROVIDER=SQLNCLI;Server=ThatServer;Datab
ase=ThatDatabase;UID=ThisUser;
> Password=SprillansNytt;Old Password=Frrarets
> Note that you must use the SQLNCLI provider, as SQLOLEDB does not support
> the Old Password property.
> --
> Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
> Books Online for SQL Server 2005 at
> http://www.microsoft.com/technet/pr...oads/books.mspx
> Books Online for SQL Server 2000 at
> http://www.microsoft.com/sql/prodin...ions/books.mspx|||Thanks Erland!
I thougth it should be a way, since this is the same behavior as for the AD
accounts. When it has expired, you have to change the password, but you can
still do it!
Regarding to the fact that SQLOLEDB provider doesn't support this, how to
change the code below to work?
String strconn = "PROVIDER=SQLNCLI;Server=" + TextBox1.Text +
";Database=master;UID=" + TextBox2.Text +
";Password=" + TextBox4.Text + ";Old Password=" + TextBox3.Text;
System.Data.SqlClient.SqlConnection conn = new
System.Data.SqlClient.SqlConnection(strconn);
Is it OK to use this kind of code? Injection must be impossible/useless to
use within the connection string. Isn't it?
Best regards
/Magnus
"Erland Sommarskog" <esquel@.sommarskog.se> wrote in message
news:Xns99339BA797939Yazorman@.127.0.0.1...
> [posted and mailed]
> Magnus (magnus.blomberg@.skanska.se) writes:
> Despite what Roger and vt says, this is indeed possible. You simply
> connect
> to SQL Server and in the connect string you pass the new password in the
> Password property. The old password you pass in the Old Password property.
> For instance:
> PROVIDER=SQLNCLI;Server=ThatServer;Datab
ase=ThatDatabase;UID=ThisUser;
> Password=SprillansNytt;Old Password=Frrarets
> Note that you must use the SQLNCLI provider, as SQLOLEDB does not support
> the Old Password property.
> --
> Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
> Books Online for SQL Server 2005 at
> http://www.microsoft.com/technet/pr...oads/books.mspx
> Books Online for SQL Server 2000 at
> http://www.microsoft.com/sql/prodin...ions/books.mspx|||At the ...conn = new... row I get the error message Keyword not supported:
'provider'.
/Magnus
"Magnus" <magnus.blomberg@.skanska.se> wrote in message
news:uLGHYm5mHHA.1220@.TK2MSFTNGP03.phx.gbl...
> Thanks Erland!
> I thougth it should be a way, since this is the same behavior as for the
> AD accounts. When it has expired, you have to change the password, but you
> can still do it!
> Regarding to the fact that SQLOLEDB provider doesn't support this, how to
> change the code below to work?
> String strconn = "PROVIDER=SQLNCLI;Server=" + TextBox1.Text +
> ";Database=master;UID=" + TextBox2.Text +
> ";Password=" + TextBox4.Text + ";Old Password=" +
> TextBox3.Text;
> System.Data.SqlClient.SqlConnection conn = new
> System.Data.SqlClient.SqlConnection(strconn);
> Is it OK to use this kind of code? Injection must be impossible/useless to
> use within the connection string. Isn't it?
> Best regards
> /Magnus
>
> "Erland Sommarskog" <esquel@.sommarskog.se> wrote in message
> news:Xns99339BA797939Yazorman@.127.0.0.1...
>|||Magnus (magnus.blomberg@.skanska.se) writes:
> I thougth it should be a way, since this is the same behavior as for the
> AD accounts. When it has expired, you have to change the password, but
> you can still do it!
> Regarding to the fact that SQLOLEDB provider doesn't support this, how to
> change the code below to work?
> String strconn = "PROVIDER=SQLNCLI;Server=" + TextBox1.Text +
> ";Database=master;UID=" + TextBox2.Text +
> ";Password=" + TextBox4.Text + ";Old Password=" + TextBox3.Text;
> System.Data.SqlClient.SqlConnection conn = new
> System.Data.SqlClient.SqlConnection(strconn);
> Is it OK to use this kind of code? Injection must be impossible/useless to
> use within the connection string. Isn't it?
Impossible it is not. I mean if the user think you should run with
MARS enabled, he can arrange it. More importantly, the user may want to
use a semicolon in his password.

> At the ...conn = new... row I get the error message Keyword not supported:
> 'provider'.
I XXX that you use ASP .Net, so I guess that you are using SqlClient as
your API. (Well, you should.) I looked at SQL Native Client, since this
is where I've played with this feature. Just remove the Provider part.
Not that I know, but I guess the connection-string properties are the
same with SqlClient.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx