Installation and operation issues for v4.2.0

[KenK73]

I am trying my darndest to get this up and running in my lab. I am following the directions closely as I do not have much experience with IIS or .NET.

My platform is a Windows Server 2016 VM with May 2021 updates installed. The only role installed is IIS.

Following the instructions, I installed the .NET Hosting bundle v5.0.1. After installing PassCore and setting up IIS, I kept getting error 500.31. It said it could not find .NET 3.0.1 but it did see 5.0.1. I ended up fixing this by also installing .NET hosting bundle v3.1.15. Now the website loads fully. Why do I need both v3 and v5? Or what do I need to do to make it use v5?

Next step was to alter the appsettings.json file since using email address is not going to work for us. I set it to use SAM and turned off email. I am not sure if that was necessary because there is no explanation as to what "UseEmail" does. How does changing "IdTypeForUser" work if "UseEmail" is active?

In addition to those changes, I set the default domain to the one in my lab... and just now realized that half of those ldap settings in the appsettings.json apply to me, so I just added my AD servers, port, and bind account. There is really no call in the instructions to modify appsettings.json, but it apparently is quite important and should be addressed specifically. The Note seems to indicate this is only required if you are upgrading.

My bind account has been given delegation over the two user OU's to both change and reset passwords as well as modify pwdlastset properties.

Also, an SSL certificate was generated and applied to the web server. This appears to be functioning as expected.

So even after all this and a reboot, I get the PassCore page loaded, I give it a username (not email) and password I know to work and should be ready for change, and then give it a new strong password I know will meet my AD requirements, and hit "CHANGE PASSWORD".... And it just sits there with the button greyed out for 30ish seconds... and I get:

"You are not allowed to change your password. Please contact your administrator." flashed in red in the bottom right corner of the screen.

My logs appear to be working without any need to modify permissions. I cant say there is much that appears useful in them.

My "AllowedADGroups" is empty. I would like to lock this down, but have no idea or example of how to identify a sub-OU folder. My users are not in "Users", they are in "Lab\Users\Standard" and "Lab\Users\Privileged"

So it does not work and I am stuck at this point.

[KenK73]

I have also done network captures between my PassCore server and my DC's. Just 1 request for a password change is generating 9,459 unique TCP sessions between the PassCore server and the DC in a 5 minute period. Most appear to be reset by the DC.

The PassCore server is domain joined. I have set it to use port 389 and the DC will negotiate.

[KenK73]

I tried this one too: https://github.com/pwm-project/pwm

Looked powerful, but so much so it was kind of overwhelming. Never got it fully working either.

[KenK73]

If you get something working, please let me know.

[gavinmanes]

I am trying https://www.manageengine.com/products/self-service-password/ now. free for up to 50 users and maybe only 600 for 50 users. I will report back here

[gavinmanes]

KenK73 that manageengine solution worked for me

[KenK73]

OK, thanks. I think our corp office used that one for awhile until they went to full Office365.

[RomainL972]

Hi,
I believe the problem is that you are using the latest release of PassCore, but not the latest available version. I had all the same problems you had, and fixed it by doing the following :

• Get the latest available version
  
• Build the application by running dotnet publish --configuration Release --runtime win-x64 --output "C:\passcore"
• When I ran the command the first time, it asked my to download something from Microsoft to be able to build
• I then changed appsettings.json according to my needs
• Because of an issue with AllowedADGroups and Captcha validation I had to fork the project and apply some fix commits. I created a pull request on this project (Fix AllowedADGroups and captcha validation #654) but it hasn't been merged yet.

With all these extra steps the app works well. If you want to have access to that without having to do all the steps yourself, you could download the "build" artifact from the CI/CD on my fork of the project : https://github.com/Green-Technologie/passcore/actions/runs/1366662677

You are welcome to review all the changes from the original project. Also with this version it uses .NET Core v5.

I'd be happy to help you with installation if I can, as I know the struggle.

[KenK73]

You are very generous to offer your tips and time. Much appreciated! I will put some more effort into it with your provided insights and see if I can get it to move.

[klier]

Romain, I'm wondering if you might be able to update your "build" artifact for PassCore. I, as well, am experiencing the same issues as KenK73 was.

[KenK73]

My company purchased Ping Federate, so I will not be investing any more time into these alternate solutions. I never did get this working for what its worth.