StrataFrame Forum » StrataFrame Application Framework - V1 » WinForms (How do I?) » User Authentication

User Authentication

Charles Thomas Blankenship — Thu, 16 Nov 2006 14:27:24 GMT

Steps to recreate:

1. Added a new user and set them up so that the new user had to change their password upon initial logon.

2. Logged on as new user, providing correct user ID and passord and received a Security Event ID: 1011 that stated "You must change your password before you can logon to the application" ... so far so good. Upon pressing OK ...

3. I receive the Change Password form. Upon reentering the Old Password and then providing a new password I get the following error message: "The new password cannot be confirmed, please try again. You must wait two days between password changes".

4. Trying to cancel out of the dialog does not close the dialog ... I have to stop debugging in order to cancel out.

My question is this: Should the initial password change dialog enforce the "Minimum time between password changes" Password Restriction? I'm thinking ... probaby not.

Thanks guys,

RE: User Authentication

StrataFrame Team — Thu, 16 Nov 2006 14:27:24 GMT

OK, you need to change the UsersBO.vb file within the MicroFour StrataFrame Security.sln solution. There is a method within the UsersBO.vb file called VerifyMinPasswordAge() that is causing all of your frustrations. It needs to be changed to this:

Private Sub VerifyMinPasswordAge(ByVal Preferences As SFSPreferencesBO)
            '-- Bail if the password has not changed
            If Not Me.PasswordIsChanged() Then
                Exit Sub
            End If

            '-- Bail if the user is configured to "must change password at next login"
            If Me.us_UserMustChangePwNextLogin Then
                Exit Sub
            End If

            '-- Verify password minimum age
            If Me.CurrentRow.HasVersion(DataRowVersion.Original) Then
                Dim loTemp As EncryptedData = Me._Data
                Dim lcMsg As String

                If DateTime.Now.Subtract(loTemp.PasswordCreatedOn) < New TimeSpan(Preferences.sp_PwMinAge) Then
                    lcMsg = String.Format(RetrieveTextValue("SFST_MustWaitBeforePasswordChange"), Data.Formatting.TimeSpanToString(New TimeSpan(Preferences.sp_PwMinAge)))
                    Me.AddBrokenRule("us_PasswordPlainText", lcMsg)
                End If
            End If
        End Sub

The thing we changed is the second if test to exit if the user has the UserMustChangePwNextLogin flag set. So, it won't add a broken rule for the password age if the user is being forced to change their password.

RE: User Authentication

Charles Thomas Blankenship — Thu, 16 Nov 2006 11:48:21 GMT

What did you and the group come up with. It should be a bit easier to fix since the must change password on next login is a flag not a count.

Here is the use case scenario:

Administrator creates a user and sets them up so that they must change their password on the next login and that they cannot change their password more than once in a 48 hour period. The next time the new user logs in the program should ignore the requirement for the 48 hour waiting period for password changes.

If this doesn't get changed the following scenario can develop: User changes their password (an established user) and on that very same day the administrator says they must change their password (let's assume the reason is that the passwords were compromised on that day). The user would not be able to use the system until the 48 hour requirement had been met ... causing a security problem.

Thanks guys,

RE: User Authentication

Trent L. Taylor — Tue, 07 Nov 2006 13:57:49 GMT

Both conditions exist in your scenario, so the minimum password age is taking precedence. We will talk about this...but this is how it remains for now until we sit down as a team and have a detailed conversation about this.

RE: User Authentication

Charles Thomas Blankenship — Tue, 07 Nov 2006 13:54:55 GMT

This means that if a user is set up by an Administrator and the Administrator checks the must change password on initial entry and the preferences are set to force a user to wait two days before a password change then new users cannot use the application until two days have passed after their account is initially -set up.

I do not understand how you cannot know if it is the first login if the option is given to an administrator to force a user to change their password on an initial entry. The two situations cannot exist together logically. The application must detect this somewhere because I get the change password dialog to popup upon initial login.

Thanks,

RE: User Authentication

Trent L. Taylor — Tue, 07 Nov 2006 13:32:29 GMT

It appears that as of now this is how it is designed. We do not know if this is your first entry or your 10th....so it will respect the password date change rules. We will talk about this some more, but for now...this is how she works :D

RE: User Authentication

Trent L. Taylor — Tue, 07 Nov 2006 10:55:24 GMT

We will take a look.