We're running IIS7 on a Windows 2008 server, and I have a .NET web application that is running under a separate application pool. For the moment the application is setup using Basic Authentication. All users to the site have an account created in active directory, which resides on a separate server. All users must enter his/her credentials via the default browser dialog.
My problem is when a user forgets his/her password and it is reset by an admin. Security rules specify that when the user's password is reset, that the flag "User must change their password on next logon" must also be set. In versions of IIS before 7, the IISADMPWD was used to allow the user to change the password in this situation. IIS7 does not include this feature, so I had to find an alternative.
I wrote an HttpModule that inherits from IHttpModule. I subscribed to the AuthenticateRequest event. Then I perform my Active Directory code
to check the password expiration status. Based on the result of the password check code, I let
the users into the application or pass them to a password change page.
Should work, but it doesn't always... The user is not always getting to the password change page. Sometimes the user is just continuously prompted for username and password, which results in a 401. I did some investigating, and it appears that when the app pool is reset, the first user to hit the site is not authenticated if the flag is turned on for that user. The continuous prompts are given to the user. If that user's flag is turned off, he/she gets authenticated and can proceed. If I immediately turn the flag back on, without resetting the app pool, the user goes to the change password page upon next logon.
Not sure what is going on here, any ideas?