Server 2K8 x64 - IIS7 and IISADMPWD

So MS, in its infinite wisdom has removed the iisadmpwd from IIS7, because (of course) the only use for this built in functionality was resetting passwords for OWA, and since they have now built this functionality into Exchange instead, nobody needs it now - right? Well wrong.

My goal: Migrate the iisadmpwd application from IIS6 to IIS7, and in doing so provide automatic redirect when the "Must Change" flag is set in AD.

Currently, IIS throws a 401 error (of some form - in IIS6 it was 401.1, but Fiddler doesn't show me anything more than a 401) when a user who has this flag set tries to log in. This doesn't bring up an error page, instead, it continues prompting for the password 3 times and then you receive a completely blank page - which doesn't tell anyone unfamiliar with the symptoms anything.

What steps I have taken (and are published in many forms across the internet):

1) Copied files from IIS6 (32 bit 2003 server) C:\windows\system32\inetsrv\iisadmpwd to C:\windows\syswow64\inetsrv\iisadmpwd
NOTE: If your source 2003 server is 64 bit, you can copy to system32 instead of syswow64. If you put 32 bit dlls in the system32 folder on 64 bit, step2 will not work.

2) Register the DLL for the iisadmpwd program
regsvr32 c:\windows\syswow64\inetsrv\iisadmpwd\iispwchg.dll

3) Re-configure IIS MetaBase to allow password changes after expiration
C:\inetpub\adminscripts\adsutil set w3svc/PasswordChangeFlags 1
NOTE: This particular setting allows you to reset the password in non-SSL environment. You can use 0 if you require SSL.

4) Create New Application under desired web-site, call it "iisadmpwd", point it at the above iisadmpwd directory, assign it to a new app pool "iisadmpwd", which runs as a user with AD privileges, .NET 2.0.50727, Classic

5) Set Authentication Enabled on Windows Authentication and Anonymous (anoymous is not required, but I found it to work better in IIS6)

Done.

End result: I can navigate to http://<server>/iisadmpwd/aexp3.asp with expired password, and I am able to change my password.

Almost there. The problem is that I must navigate to the page directly; I am not redirected on 401 (as I was in IIS6), nor is there any error message that indicates the problem or giving me instructions to go to the page directly to change the password. And unforunately, this is where any information on migrating this to IIS7 stops - this seems to be a happy fix for everyone else - but its not quite sufficient for my needs.

So I went a little bit further. There are several other settings in IIS that are rarely mentioned when discussing iisadmpwd - mostly because they were set by default in IIS6, and are only used specifically for what I need it for (which IIS6 did out of the box) and everyone seems happy without this functionality in IIS7.

That is the values that confgiured the auto-redirect pages:
AuthChangeURL : (STRING) "/iisadmpwd/achg.asp"
AuthExpiredURL : (STRING) "/iisadmpwd/aexp.asp"
AuthNotifyPwdExpURL : (STRING) "/iisadmpwd/anot.asp"
AuthExpiredUnsecureURL : (STRING) "/iisadmpwd/aexp3.asp"
AuthNotifyPwdExpUnsecureURL : (STRING) "/iisadmpwd/anot3.asp"
(Partial output from C:\inetpub\adminscripts\adsutil.vbs enum w3svc)

These flags tell IIS where to redirect you depending on the response type from AD, and whether you are using SSL, etc. So e.g., "AuthExpiredURL" is where to redirect you if your password is expired and you are connecting over SSL. Of course, as you can see by the URL I used above, I am in a non-SSL environment with the password expired. These are set as follows:
C:\inetpub\adminscripts\adsutil set w3svc/AuthChangeURL /iisadmpwd/achg.asp
etc.

So I went through (as you can see) and configured each of these to match my IIS 6.0 (working) config. I still get no redirect, or as I would call it "automatic prompting for password change".

I am hoping someone out there has tried to do something similar, which really should be built in, and figured out what it is that I'm missing. I have this "working" in the only state that I could find find anyone else doing it successfully, but it doesn't quite cut it for me.

Anyone have any ideas?

Hello,

I am trying to solve almost same issue. Have you succeded somehow?

I am afraid that using AuthChangeURL metabase property will not help, because maybe it is not used in IIS7 anymore. See
msdn.microsoft.com/en-us/library/aa965021(v=VS.90).aspx

Therefore we are creating our own anonymous passwordchange form and will try to redirect all 401 from our web app to this form. But user will have to write his username and password again, security issues, etc... I do not like MS for this

Jan Pluskal

Thank you for posting that link, that is a handy reference. It's interesting that these are deprecated, and yet I was able to update the metabase with values for these properties.

Unfortunately I have not yet solved this issue.

I can't use the same solution you do, as the web application I am trying to use this in generates a LOT of 401 traffic, even when there is no authentication issue.

The other bad part is that there are various reasons for 401, and this is only one of them. In IIS 6, the expired password threw a very specific 401.2. In IIS 7 its just a 401, with no additional sub-code.

I am working in SharePoint, and may end up with a WebPart that allows anonymous, but catches the expired password issue and redirects you accordingly, but haven't decided to take that path quite yet. Still hoping someone that has found another solution will magically appear

If I do find a solution, I'll post it.