Steps to recreate:

1. Added a new user and set them up so that the new user had to change their password upon initial logon.

2. Logged on as new user, providing correct user ID and passord and received a Security Event ID: 1011 that stated "You must change your password before you can logon to the application" ... so far so good.  Upon pressing OK ...

3. I receive the Change Password form.  Upon reentering the Old Password and then providing a new password I get the following error message: "The new password cannot be confirmed, please try again.  You must wait two days between password changes".

4.  Trying to cancel out of the dialog does not close the dialog ... I have to stop debugging in order to cancel out.

My question is this:  Should the initial password change dialog enforce the "Minimum time between password changes" Password Restriction?  I'm thinking ... probaby not.

Thanks guys,

CT

Charles T. Blankenship
Senior Consultant
Novant Consulting, Inc.
704.975.7152
http://www.novantconsulting.com

Both conditions exist in your scenario, so the minimum password age is taking precedence.  We will talk about this...but this is how it remains for now until we sit down as a team and have a detailed conversation about this.

What did you and the group come up with.  It should be a bit easier to fix since the must change password on next login is a flag not a count. 

Here is the use case scenario:

Administrator creates a user and sets them up so that they must change their password on the next login and that they cannot change their password more than once in a 48 hour period.  The next time the new user logs in the program should ignore the requirement for the 48 hour waiting period for password changes.

If this doesn't get changed the following scenario can develop:  User changes their password (an established user) and on that very same day the administrator says they must change their password (let's assume the reason is that the passwords were compromised on that day).  The user would not be able to use the system until the 48 hour requirement had been met ... causing a security problem.

Thanks guys,

CT

Charles T. Blankenship
Senior Consultant
Novant Consulting, Inc.
704.975.7152
http://www.novantconsulting.com

OK, you need to change the UsersBO.vb file within the MicroFour StrataFrame Security.sln solution.  There is a method within the UsersBO.vb file called VerifyMinPasswordAge() that is causing all of your frustrations.  It needs to be changed to this:

Private Sub VerifyMinPasswordAge(ByVal Preferences As SFSPreferencesBO)
            '-- Bail if the password has not changed
            If Not Me.PasswordIsChanged() Then
                Exit Sub
            End If

            '-- Bail if the user is configured to "must change password at next login"
            If Me.us_UserMustChangePwNextLogin Then
                Exit Sub
            End If

            '-- Verify password minimum age
            If Me.CurrentRow.HasVersion(DataRowVersion.Original) Then
                Dim loTemp As EncryptedData = Me._Data
                Dim lcMsg As String

                If DateTime.Now.Subtract(loTemp.PasswordCreatedOn) < New TimeSpan(Preferences.sp_PwMinAge) Then
                    lcMsg = String.Format(RetrieveTextValue("SFST_MustWaitBeforePasswordChange"), Data.Formatting.TimeSpanToString(New TimeSpan(Preferences.sp_PwMinAge)))
                    Me.AddBrokenRule("us_PasswordPlainText", lcMsg)
                End If
            End If
        End Sub

The thing we changed is the second if test to exit if the user has the UserMustChangePwNextLogin flag set.  So, it won't add a broken rule for the password age if the user is being forced to change their password.