Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationChanging password from portal...Changing password from portal...
Previous
 
Next
New Post
1/16/2007 8:09 AM
 
Pål Fredrik Hasle

Joined: 4/2/2006
Posts: 16

Hi,

When DNN uses AD as authenticate method, the user and password must be registerd in AD before first DNN login. But can the user change the password later from DNN?

It seems that it works. But when the orginale AD password is used again in a login, the changed password is no longer valid. Only the AD password. Why is the changed password not longer valid? The user  account in AD is set to accept changing password...

Have anyone any experience about this?

-PF
 
New Post
1/17/2007 2:00 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865
It's because it's a one way authentication. DNN reads the user's credentials from their login and compares that to what it reads from the AD. It doesn't write to the AD when the user changes their password or information on the DNN site and imho it never should. That's one security hole I'd never want to see opened.
 
New Post
1/17/2007 2:12 PM
 
Dan Ball

Joined: 1/31/2005
Posts: 771
Actually, I think it doesn't even actually read the info from the AD (as far as passwords go), it simply asks the AD if the password used is the correct one, getting a yes/no response.
 
New Post
1/17/2007 3:28 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

Actually it looks like it might. I just went to the site we've got running authentication and did a password reminder and it sent me the correct password. I then changed the password in DNN and requested another password reminder and got the new one sent to me. If it doesn't and actual AD passwords are being stored in the db then this worries me a touch. I'm sure I read in another post that the passwords entered into the db were random and DNN always referred to AD for password info.
 
New Post
1/18/2007 9:11 AM
 
Dan Ball

Joined: 1/31/2005
Posts: 771

The key thing here is that you changed it in DNN, and got the one you changed "in DNN" back with the reminder.  If you change the password in AD, and then request a reminder, it "should" give you the old password, the one that was stored in DNN.  The password in AD is a hash, and is impossible to unencrypt without cracking tools (not to mention that the hash isn't even sent to DNN), so you can't simply "read" the AD password.  This was the point I was trying to make, sorry for the confusion.

On the other hand, I do remember this topic coming up a year or so ago back on the ASP forums.  The fact that DNN actually "stores" your password is not a good thing at all! That is a major security flaw!  I thought that had been fixed awhile back, but apparently it hasn't been.

We've really got to get this project in motion again!
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationChanging password from portal...Changing password from portal...


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out