IIS 4.0 Prompts for Password When You Use Web-based Password Change Utility (209389)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
This article was previously published under Q209389
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

When you try to use the Web-based password change utility that is included in Internet Information Server (IIS) 4.0, the system may prompt you for a new password. However, you cannot successfully change your password.

CAUSE

When you install IIS, the passwordchangeflags parameter is set to a default value of 0. This value causes the system to prompt for a password when you try to use the Web-based password change utility.

For this utility to work correctly, the passwordchangeflags parameter's default value must be changed in the metabase.

RESOLUTION

To resolve this issue, follow these steps.

NOTE: For the following procedure to work, Windows Scripting Host must be installed on your computer.
  1. Change the IIS directory setting to the following:

    \%windir%\System32\Inetsrv\Adminsamples

  2. Type the following:

    cscript adsutil.vbs set w3svc/1/passwordchangeflags value

    NOTE: 1 represents the Web site on which this change is to occur. You may have to set this parameter multiple times if multiple Web sites are involved.

  3. The following values are possible settings for the passwordchangeflags parameter:
    • Value 0 (default): Requires that the password change utility reside over a Secure Sockets Layer (SSL) connection.
    • Value 1: Removes the requirement for SSL.
    • Value 2: Disables password change notification.
    • Value 4: Disables advance notification of password change.

MORE INFORMATION

The IIS online documentation states the following:

Notifying Clients of Password Status: You can set properties in the metabase, which will notify a client when his or her password has expired or is about to expire. This feature also gives the client the opportunity to change the password at the time of the notification, or to continue with the original request. These metabase properties are used to configure the implementation of the feature.

NOTE: Administrators do not have to set any of these properties for this feature to work. These properties are automatically set in the metabase during IIS setup.

The following metabase properties control this feature. PasswordChangeFlags specifies the flags that control password expiration and password change processing between the server and client. The default value of 0 indicates that a password change is not permitted on an unsecured (that is, non-SSL) channel. A value of 1 indicates that a password change is permitted on an unsecured channel. A value of 2 indicates that password change notification is disabled. A value of 4 indicates that advance notification of password change is disabled.

Modification Type:MinorLast Reviewed:6/22/2005
Keywords:kbpending kbprb KB209389
©2004 Microsoft Corporation. All rights reserved.