locked
How to log in with expired AD password? RRS feed

  • Question

  • Does SharePoint 2016 on-premises address the issue of expired AD credentials in any new and improved ways compared to older versions of SharePoint?

    At the very least, we would want it to display a message stating their password has expired and needs to be changed rather than just prompting the user to try again.

    Ideally, it would be able to allow the user with an expired password to update their password right there at the sign-in page just like OWA does.

    Does SharePoint 2016 have any new functionality that allows this or is there any other workaround?

    Password change web parts do not address this since you can't use a web part to change your password if you can't get past the initial site login after your password expires.

    Saturday, May 7, 2016 2:01 AM

Answers

  • I would strongly recommend against using FBA with SharePoint. The management overhead is not worth it, plus the custom dev that is required to go with it.

    Instead, look at using a pre-auth reverse proxy with the feature that you need.


    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by MyGposts Saturday, May 14, 2016 6:27 AM
    Monday, May 9, 2016 5:25 PM

All replies

  • There is no change from SharePoint 2007, 2010, or 2013 with regards to expired accounts. SharePoint does not handle authentication, that's IIS' responsibility, and IIS would need to return the message to the end user.

    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Saturday, May 7, 2016 4:12 AM
  • In short: To allow that sort of behaviour would be dangerous. It isn't going to appear as an out of the box feature any time soon, I hope.
    Saturday, May 7, 2016 9:49 PM
  • In short: To allow that sort of behaviour would be dangerous. It isn't going to appear as an out of the box feature any time soon, I hope.

    In what way would that be dangerous when that is exactly how it works with OWA?

    Why would a SharePoint login be more dangerous than an OWA login?

    It is an extremely poor user experience for a login to fail with no message saying why and then having to call the help desk to say they can't log into SharePoint?

    Saturday, May 7, 2016 11:56 PM
  • Which version of Office Web Apps does that? SharePoint Online will prompt you because it's got a load of protection built into it but that's different to SharePoint On-Prem where you haven't paid for it, installed or configured it. Let alone put in enough monitoring to make sure it's not being used inappropriately. In some places, carefully used, it's great. In most it'd be too dangerous, although I guess it could just be left turned off.
    Sunday, May 8, 2016 8:05 PM
  • I have no idea why you keep saying "dangerous."

    When is it ever "inappropriate" for a user to change their expired password?  In order to change an expired password, they have to know the current password.

    It is not a benefit to anyone for the user to have to call the help desk for assistance when the password expires.

    The ability to change an expired password at the log-in prompt is built in to on-premises OWA.  It just has to be enabled.

    Monday, May 9, 2016 5:58 AM
  • You say that but I haven't ever seen it.

    What do you think the possible dangers are for prompting someone that they have identified an existing and non-expired account, but one where the password needs to be reset?

    Monday, May 9, 2016 6:54 AM
  • OWA has been able to do this for several versions of Exchange Server.

    Monday, May 9, 2016 7:01 AM
  • Fair enough. I'm still not a fan of it.
    Monday, May 9, 2016 8:06 AM
  • You say that but I haven't ever seen it.

    What do you think the possible dangers are for prompting someone that they have identified an existing and non-expired account, but one where the password needs to be reset?

    I don't see the logic.

    You still have to use the correct last password in order to get to the prompt to change the password.  

    If an unauthorized person is fishing for valid user ids as a way to log into SharePoint, they are better off finding one where the password is not expired so they don't draw attention by changing the users password.

    Monday, May 9, 2016 3:49 PM
  • One of the key differences here is that Exchange uses FBA. An FBA environment can do an immediate check and return the result back to the web browser. SharePoint, historically, has been WIA. WIA you either login or you don't as the password check is done between IIS -> AD; there's no SharePoint in the middle (SharePoint performs AuthZ, not AuthN). You can enable this functionality with custom dev using FBA on SharePoint, or if using SAML, at the SAML endpoint that is performing the auth with AD (e.g. ADFS).

    But with WIA, you've either got the correct username/password that isn't expired or not. There's no custom solutions for straight up WIA.


    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, May 9, 2016 3:53 PM
  • One of the key differences here is that Exchange uses FBA. An FBA environment can do an immediate check and return the result back to the web browser. SharePoint, historically, has been WIA. WIA you either login or you don't as the password check is done between IIS -> AD; there's no SharePoint in the middle (SharePoint performs AuthZ, not AuthN). You can enable this functionality with custom dev using FBA on SharePoint, or if using SAML, at the SAML endpoint that is performing the auth with AD (e.g. ADFS).

    But with WIA, you've either got the correct username/password that isn't expired or not. There's no custom solutions for straight up WIA.


    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    OK, so if we configured our SharePoint site to use FBA, could we use the third party utility "IISADMPWD Replacement Tool"  http://webactivedirectory.com/products/iisadmpwd/ or something similar to get the OWA password change functionality?
    Monday, May 9, 2016 4:03 PM
  • I would strongly recommend against using FBA with SharePoint. The management overhead is not worth it, plus the custom dev that is required to go with it.

    Instead, look at using a pre-auth reverse proxy with the feature that you need.


    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by MyGposts Saturday, May 14, 2016 6:27 AM
    Monday, May 9, 2016 5:25 PM
  • I would strongly recommend against using FBA with SharePoint. The management overhead is not worth it, plus the custom dev that is required to go with it.

    Instead, look at using a pre-auth reverse proxy with the feature that you need.


    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    The login process with WIA is so ugly and unintuitive for end users when they are logging in from a computer joined to a different domain than the domain the SharePoint site is connected to.  This causes lots of confusion and help desk calls from failed logins.

    If not FBA, what user-friendly alternative is there for SharePoint?

    What overhead does FBA cause?  WIA has plenty of overhead due to help desk calls from confused users not remembering to change the domain name from their local domain to the SharePoint domain.

    Monday, May 9, 2016 5:33 PM
  • As I said, a pre-auth reverse proxy. Microsoft has Web Application Proxy + ADFS 3, as an example. There are plenty of 3rd party products out there.

    As for FBA, you must maintain the configuration in 3 separate web.config files. It becomes more painful when there are multiple servers in the farm.


    Trevor Seward

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, May 9, 2016 5:36 PM