I am using Core + Angular version with LDAP enabled. After an AD user click “Forgot password”, we got two issues:
The first issue occurs on user changing password. The link on "password reset" email is actually two url delimited by a comma, likes: https://login.company.com/, http:/login.company.com/account/reset-password?userId=12345&resetCode=044D43ACE0&tenantId=1
When user click this link, it opens the reset page, but immediately redirected to a blank page, which actually is the first url (i.e. https://login.company.com). So the user has no chance to change her password. A workaround is that, copy the 2nd url and paste it on a browser. It opens a password reset page, but it will stay on the reset page. We need manually close the browser and re-open the home page for login. We tried Chrome and Edge and get same behavior.
The 2nd issue occurs after the password changed. After the user changes her old password (e.g. password0) to a new password(e.g. password1), both passwords are valid. I guess the new password does not PUSH to AD. When the user uses password0, she is treated as an AD user, and if she uses password1, she is treated as a local user. Is this a bug or by design?
Thanks,
I tried it again, and get the full stack trace as following. I forgot to mention, we enabled LDAP Authentication.
I tried one user with his username and password. The login failed. Here is the screen shot:
The log on server side: INFO 2019-02-06 09:38:58,510 [88 ] soft.AspNetCore.Hosting.Internal.WebHost - Request starting HTTP/1.1 OPTIONS http://stg.company.com/api/TokenAuth/Authenticate INFO 2019-02-06 09:38:58,510 [88 ] pNetCore.Cors.Infrastructure.CorsService - Policy execution successful. INFO 2019-02-06 09:38:58,510 [88 ] soft.AspNetCore.Hosting.Internal.WebHost - Request finished in 0.1799ms 204 INFO 2019-02-06 09:38:58,607 [70 ] soft.AspNetCore.Hosting.Internal.WebHost - Request starting HTTP/1.1 POST http://stg.company.com/api/TokenAuth/Authenticate application/json 158 INFO 2019-02-06 09:38:58,607 [70 ] pNetCore.Cors.Infrastructure.CorsService - Policy execution successful. INFO 2019-02-06 09:38:58,610 [70 ] pNetCore.Cors.Infrastructure.CorsService - Policy execution successful. INFO 2019-02-06 09:38:58,619 [70 ] ore.Mvc.Internal.ControllerActionInvoker - Executing action method SNet.Web.Controllers.TokenAuthController.Authenticate (SNet.Web.Core) with arguments (SNet.Web.Models.TokenAuth.AuthenticateModel) - ModelState is Valid WARN 2019-02-06 09:39:02,625 [45 ] Mvc.ExceptionHandling.AbpExceptionFilter - Internal Error Abp.UI.UserFriendlyException: Internal Error INFO 2019-02-06 09:39:02,625 [45 ] etCore.Mvc.Internal.ObjectResultExecutor - Executing ObjectResult, writing value Microsoft.AspNetCore.Mvc.ControllerContext. INFO 2019-02-06 09:39:02,626 [45 ] ore.Mvc.Internal.ControllerActionInvoker - Executed action SNet.Web.Controllers.TokenAuthController.Authenticate (SNet.Web.Core) in 4015.5818ms INFO 2019-02-06 09:39:02,626 [45 ] soft.AspNetCore.Hosting.Internal.WebHost - Request finished in 4019.1264ms 500 application/json; charset=utf-8
A strange thing is that, I tried to use the user's email address to login with same password. It succeeds:
It always has client side errors even login succeed. Here is a screen shot after a freqent user logged in:
Recently, many of our users get error while they try to login:
Internal Error
Cannot insert the value NULL into column 'EmailAddress', table 'PROJECT.dbo.AbpUsers'; column does not allow nulls. UPDATE fails.
The statement has been terminated.
Most of these users have not logged in for a couple of months. I checked those users' AbpUser.EmailAddress record. It is NOT NULL. Their passwords are never expired. However, if I reset their password, the problem would be gone. Unfortunately, I can't reset password for every one.
I traced Log.txt. There is no warning, but some fails, such as:
uthentication.JwtBearer.JwtBearerHandler - Failed to validate the token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjIiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiYWRtaW4iLCJBc3BOZXQuSWRlbnRpdHkuU2VjdXJpdHlTdGFtcCI6IjRlNzhjMzIyLTRjM2ItNTRkNy1kMzQ4LTM5ZGVjMmRmZTI1NSIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6WyJBZG1pbiIsImMxYmQxMmUwZWEzYjQ1ZGRiYzM2OTJkMjUxZTQ5MDU4Il0sImh0dHA6Ly93d3cuYXNwbmV0Ym9pbGVycGxhdGUuY29tL2lkZW50aXR5L2NsYWltcy90ZW5hbnRJZCI6IjEiLCJzdWIiOiIyIiwianRpIjoiYzIwYTk2NzMtMTkwNi00MWFiLWFhZWYtMzFjMWNlNGE4YWEwIiwiaWF0IjoxNTQ5MzAzMDA2LCJuYmYiOjE1NDkzMDMwMDYsImV4cCI6MTU0OTM4OTQwNiwiaXNzIjoiU05ldCIsImF1ZCI6IlNOZXQifQ.bdh-Uo7bzXmGs3xjALUedYqXHzQgvMGffra_UmOcp0k.
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '02/05/2019 17:56:46'
Current time: '02/05/2019 21:33:04'.
It seems their Token expired. Can you advise me how to refresh the token to workaround this "Internal Error"?
Thanks,
I understand "multiple users to a specific OU" and "single user to multiple OUs". No question about that. My question is about PARENT OUs. Is it necessary to link a user to its immediate OU** and ** all of its PARENT OUs?
From above answers, I assume it has no impact to other parts within current AspNetZero template. However, it should be kept in mind to expand it to my own applications.
Thanks again.
Thank you for confirmation! My question is which one is correct. I am concerning the user to its "parent OUs" relationship. Shall I keep relationships for a user to its immediate OU AND all its parent OUs, or just ignore the relationships to parent OUs?
I surely like the simple user-immediate-OU relationship, but I worry if it encounters problems on other parts of this application (AspNetZero). If this is by design, do you have specific purposes for both?
Thanks,
I use Core+Angular. I tried version 5.0 and 6.4. It acts same on both versions.
BTW, The interface screens are different on these two ways:
In User screen, when I check off an OU, its parent OUs are automatically checked off. I can manually uncheck any of them, but I don't know if it should be.
In OU Add Member screen, there is no such option to check/uncheck its parent OUs.
I realized my AbpUserLogins and AbpUserTokens tables are always empty. What are these two tables for?
Thanks,
Is this feature on your road map?
Idealy, I expect an automatic email sent to the user 7 days before the expiration day to remind the user reset her password by following a link on the email.
That will be help us a lot.
Thanks,
While adding an user, I have two ways to link her to OU. I realized it generates different records in AbpUserOrganizationUnits.
If I add members in Organization Units screen, only one record is inserted into DB table AbpUserOrganizationUnits, which links the UserId with one OU Id.
If I add an OrganizationUnit to a user in User screen, multiple records are inserted into DB table AbpUserOrganizationUnits, which link the UserId with her OU Id AND all of that OU's parent Ids.
I wonder which way is correct? Is there any different impact to other parts of application?
I wonder if you plan to implement "Angular Universal server-side rendering"?