Question : Allow users to change password using IIS

I have a server which hosts reports using SQL Reporting Services. The users have Windows accounts on the server hosting the reports, and authenticate using these credentials.

I would like to allow users to change their password / to force password changes every 60 days, and ensuring password complexity standards are met.

What would be the best way to achieve this?

Thanks.

Answer : Allow users to change password using IIS

No I don't mean another security model.

In order to protect the web server, IIS runs all web applications as a 'Guest' account.  Even the background worker processes executed by the code run in 'Guest' mode by default.

When SQL RS (Reporting Services) allows someone to run a report all it does is verify that they are allowed to access the report.  It doesn't relay those credentials to the operating system OR network.  That is by design and once again for the safety of the server.

In order to achieve this you'd have to write custom code that had full access to the domain using IIS.  Which means that any script executed on the server would be able to access the network.  Including if a hacker embedded VBScript in the web response which could penetrate your network.

Doing what you are suggesting would be equivalent to putting strong locks on a steel front door of a house made with paper.  I would strongly suggest you do not attempt this.