Skip to content
A self-service password management tool for Active Directory
Branch: master
Clone or download
Latest commit c32fb0d Apr 9, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Create stale.yml Jan 25, 2019
.vscode Found some minor errors in the HTML & code styling May 9, 2018
src use zxcvbn for password strength calculation (#271) Apr 8, 2019
.gitignore #40 support expired passwords or passwords set to change at next login ( Aug 7, 2018
.travis.yml Update .travis.yml Apr 8, 2019
Dockerfile [Add] Docker File (#248) Feb 8, 2019
IISSetup.ps1 Issue141 app veyor integration test (#171) Jun 25, 2018
Installer.ps1 Update installer to use 2.2.3 Mar 25, 2019
LICENSE Initial commit Jan 7, 2016
README.md
StyleCop.Analyzers.ruleset PassCore 3.5 (#224) Nov 5, 2018
Unosquare.PassCore.sln
appveyor.yml Update appveyor.yml Feb 8, 2019
docfx.json Test Docfx filter Feb 14, 2019
filterConfig.yml Missing file Feb 14, 2019
preview.png Changes layout, update README.md Oct 18, 2017
toc.yml Create toc.yml Feb 13, 2019

README.md

Build status Github All Releases Analytics Build Status

Passcore Logo

PassCore: A self-service password change utility for Active Directory

⭐️Please star this project if you find it useful!

Overview

PassCore is a very simple 1-page web application written in C#, using ASP.NET Core , Angular Material, Typescript, and Microsoft Directory Services (Default provider). It allows users to change their Active Directory password on their own, provided the user is not disabled.

PassCore does not require any configuration, as it obtains the principal context from the current domain. I wrote this because a number of people have requested several features that the original version did not have. The original version of this tool was downloaded around 8000 times in 2.5 years. My hope is that the new version continues to be just as popular. There really is no free alternative out there (that I know of) so hopefully this saves someone else some time and money.

Features

PassCore has the following features:

  • Easily localizable (i.e. you can customize all of the strings in the UI -- see the section on Customization)
  • Supports reCAPTCHA
  • Has a built-in password meter
  • Responsive design that works on mobiles, tablets, and desktops.
  • Works with Windows/Linux servers.

Installation on IIS

You can easily install using Powershell. Check the next section to know how.

  1. Ensure the server running IIS is domain-joined. To determine if the computer is domain-joined:
    • Go to the Start menu, right click on Computer, then select Properties
    • Make sure the Domain field contains the correct setting.
  2. You need a Passcore copy to continue. We recommed to download the latest binary release of PassCore.
  3. NOTE: Before extracting the contents of the file, please right click on it, select Properties and make sure the file is Unblocked (Click on the Unblock button at the bottom of the dialog if it is available). Then, extract the contents of the zip file to the directory where you will be serving the website from.
    • If you download the source code you need to run the following command via an Command Prompt. Make sure you start the Command Prompt with the Administrator option.
    • dotnet publish --configuration Release --runtime win-x64 --output "<path>"
    • The <path> is the directory where you will be serving the website from.
  4. Install the .NET Core 2.2.3 Windows Server Hosting bundle.
  5. Go to your IIS Manager, Right click on Application Pools and select Add Application Pool.
  6. A dialog appears. Under Name enter PassCore Application Pool, Under .NET CLR Version select No Managed Code and finally, under Managed pipeline mode select Integrated. Click OK after all fields have been set.
  7. Now, right click on the application pool you just created in the previous step and select Advanced Settings .... Change the Start Mode to AlwaysRunning, and the Idle Time-out (minutes) to 0. Click on OK. This will ensure PassCore stays responsive even after long periods of inactivity.
  8. Back on your IIS Manager, right click on Sites and select Add Website
  9. A dialog appears. Under Site name, enter PassCore Website. Under Application pool click on Select and ensure you select PassCore Application Pool. Under Physical path, click on the ellispsis (...), navigate to the folder where you extracted PassCore.
    • Important: Make sure the Physical path points to the parent folder which is the one containing the files, logs and wwwroot folders.
    • NOTE: If the folder logs is not there you can created. To enable the logs you need to change stdoutLogEnabled to true in the web.config file. You need to add Full Control permissions to your IIS Application Pool account (see Troubleshooting).
  10. Under the Binding section of the same dialog, configure the Type to be https, set IP Address to All Unassigned, the Port to 443 and the Host name to something like password.yourdomain.com. Under SSL Certificate select a certificate that matches the Host name you provided above. If you don't know how to install a certificate, please refer to SSL Certificate Install on IIS 8 or SSL Certificate Install on IIS 10 , in order to install a proper certificate.
    • Important: Do not serve this website without an SSL certificate because requests and responses will be transmitted in cleartext and an attacker could easily retrieve these messages and collect usernames and passwords.
  11. Click OK and navigate to https://password.yourdomain.com (the host name you previously set). If all is set then you should be able to see the PassCore tool show up in your browser.

NOTE: If you have a previous version, you can not use the same appsettings.json file. Please update your settings manually editing the new file.

PowerShell Installer

Use PowerShell to download and setup Passcore using the following command line, just make sure you have installed the .NET Core 2.1 Windows Server Hosting bundle and enabled World Wide Web publishing service:

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/unosquare/passcore/master/Installer.ps1'))

Using the command shown above will install to the folder C:\passcore and using the HTTP Port 8080 with the default (localhost) binding.

If you want to customize your installation please download the installer script and the IIS setup script.

NOTE: You need PowerShell version 5 or better to execute the script.

Docker

You can use the Alpine Docker Builder image and then copy the assets over to an Alpine container. You can pass environment attributes directly into docker without modifying the appsettings.json

docker build --rm -t passcore .
docker run \
-e AppSettings__LdapHostnames__0='ad001.example.com' \
-e AppSettings__LdapHostnames__1='ad002.example.com' \
-e AppSettings__LdapPort='636' \
-e AppSettings__LdapUsername='CN=First Last,OU=Users,DC=example,DC=com' \
-it \
-p 80:80 \
passcore:latest

NOTE: Docker image contains a build using the LDAP Provider (see below).

LDAP Provider

PassCore was created to use the Microsoft Active Directory Services provided by .NET Framework, but a new Provider using Novell LDAP Client can be used instead. This provider is the default when PassCore is running at Linux or MacOS since Microsoft AD Services are NOT available.

The configuration of the LDAP Provider is slightly different. for example, the AutomaticContext is not available and you need to supply credentials.

WIP

Customization and Configuration

All server-side settings and client-side settings are stored in the /appsettings.json file. The most relevant configuration entries are shown below. Make sure you make your changes to the appsettings.json file using a regular text editor like Visual Studio Code

  • To enable reCAPTCHA
    1. Find the PrivateKey entry and enter your private key within double quotes (")
    2. Find the SiteKey entry and enter your Site Key within double quotes (")
  • To change the language of the reCAPTCHA widget
  • To enable/disable the password meter
    • Find the ShowPasswordMeter entry and set it to true or false (without quotes)
  • To enable restricted group checking
    1. Find the CheckRestrictedAdGroups entry and set it to true (without quotes)
    2. Find the RestrictedADGroups entry and add any groups that are sensitive. Accounts in these groups (directly or inherited) will not be able to change their password.
  • Find the DefaultDomain entry and set it to your default Active Directory domain. This should eliminate confusion about using e-mail domains / internal domain names. NOTE: if you are using a subdomain, and you have errors, please try using your top-level domain. Thank you.
  • To provide an optional paramerter to the URL to set the username text box automatically
    1. http://mypasscore.com/?userName=someusername
    2. This helps the user incase they forgot thier username and, also comes in handy when sending a link to the application or having it embeded into another application were the user is all ready signed in.
  • To specify which (DC) attribute is used to search for the specific user.
    • With the IdTypeForUser it is possible to select one of six Attributes that will be used to search for the specifiv user.
    • The possible values are:
      • DistinguishedName or DN
      • GloballyUniqueIdentifier or GUID
      • Name
      • SamAccountName or SAM
      • SecurityIdentifier or SID
      • UserPrincipalName or UPN
  • The rest of the configuration entries are all pretty much all UI strings. Change them to localize, or to brand this utility, to meet your needs.

Running as a sub application

To run as a sub application you need to modify the base href="/" value in the wwwroot/index.html file to be the base url for PassCore. For example you might have PassCore setup at /PassCore so you would put

<base href="/PassCore/" />

Troubleshooting

  • At first run if you find an error (e.g. HTTP Error 502.5) first ensure you have installed .NET Core 2.1.1 Windows Server Hosting bundle, or better.
  • If you find an HTTP Error 500 you can try
    1. Press Win Key+R to Open Run Window
    2. in the Run Window, enter "OptionalFeatures.exe"
    3. in the features window, Click: "Internet Information Services"
    4. Click: "World Wide Web Services"
    5. Click: "Application Development Features"
    6. Check the features.
  • If you / your user's current password never seems to be accepted for reset; the affected person may need to use a domain-connected PC to login and reset their password on it first. Updated group policy settings could be blocking user changes, until a local login is completed.
  • You can add permissions to your log folder using icacls
icacls "<logfolder>/" /grant "IIS AppPool\<passcoreAppPoolAccount>:M" /t

LDAP Support

  • If your users are having trouble changing passwords as in issues #8 or #9 : try configuring the section PasswordChangeOptions in the /appsettings.json file. Here are some guidelines:
    1. Ensure UseAutomaticContext is set to false
    2. Ensure LdapUsername is set to an AD user with enough permissions to reset user passwords
    3. Ensure LdapPassword is set to the correct password for the admin user mentioned above
    4. User @gadams65 suggests the following: Use the FQDN of your LDAP host. Enter the LDAP username without any other prefix or suffix such as domain\\ or @domain. Only the username.
  • You can also opt to use the Linux or MacOS version of PassCore. This version includes a LDAP Provider based on Novell. The same provider can be used with Windows, you must build it by yourself.

Build your own version

If you need to modify the source code (either backend or frontend). You may require to install [.NET Core SDK}(https://dotnet.microsoft.com/download) and Node.js. Run the following command according to your target platform.

Windows

dotnet publish --configuration Release --runtime win-x64 --output "<path>"

Linux (portable)

dotnet publish --configuration Release --runtime linux-x64 /p:PASSCORE_PROVIDER=LDAP --output "<path>"

MacOS (OS X)

dotnet publish --configuration Release --runtime osx-x64 /p:PASSCORE_PROVIDER=LDAP --output "<path>"

Note - The PASSCORE_PROVIDER modifier will use the LDAP Provider instead of Active Directory Provider.

Create your own provider

If you wish to create your own provider, you need use our interface and common classes. You can use the following nuget to install them:

NuGet version

PM> Install-Package Unosquare.PassCore.Common

License

PassCore is open source software and MIT licensed. Please star this project if you like it.

You can’t perform that action at this time.