Why does Active Directory validate last password?

前端未结

关注

 3  1055

别跟我提以往 2020-12-04 10:28

I am working on a simple solution to update a user\'s password in Active Directory.

I can successfully update the users password. Updating the password works fine. L

3条回答

情书的邮戳 (楼主)

2020-12-04 11:20

I've found a way to validate the user's current credentials only. It leverages the fact that ChangePassword does not use cached credentials. By attempting to change the password to its current value, which first validates the password, we can determine if the password is incorrect or there is a policy problem (can't reuse the same password twice).

Note: this will probably only work if your policy has a history requirement of at least not allowing to repeat the most recent password.

        var isPasswordValid = PrincipalContext.ValidateCredentials(
            userName,
            password);

        // use ChangePassword to test credentials as it doesn't use caching, unlike ValidateCredentials
        if (isPasswordValid)
        {
            try
            {
                user.ChangePassword(password, password);
            }
            catch (PasswordException ex)
            {
                if (ex.InnerException != null && ex.InnerException.HResult == -2147024810)
                {
                    // Password is wrong - must be using a cached password
                    isPasswordValid = false;
                }
                else
                {
                    // Password policy problem - this is expected, as we can't change a password to itself for history reasons    
                }
            }
            catch (Exception)
            {
                // ignored, we only want to check wrong password. Other AD related exceptions should occure in ValidateCredentials
            }
        }

0 讨论(0)

查看其它3个回答