问题
im working on a credential provider and got stuck with the following issue:
When the desktop is locked on a terminal server and the password expires, the CP cant seem to change the password.
I can dectect that the password must be changed in ReportResult(), then open a dialog asking for the new password and packing a KERB_CHANGEPASSWORD_REQUEST to hand over in GetSerialization(). This works when the user logs on initially (CPUS_LOGON).
But in CPUS_UNLOCK_WORKSTATION (when the user is already logged in) I get the same ntsStatus (which is 0xC0000224) again in ReportResult() after handing over the KERB_CHANGEPASSWORD_REQUEST
So i wonder if anybody knows what the difference is between those two scenarios - is logonUI expecting a package other than KERB_CHANGEPASSWORD_REQUEST ?
I also tried setting the GetSerializationResponse "status" from CPGSR_RETURN_CREDENTIAL_FINISHED to CPGSR_NO_CREDENTIAL_FINISHED (in the technical reference its said to be the indicator that a password change completed, but thats probably for CPUS_CHANGE_PASSWORD).
The setup im testing this is on is a Win2012 R2 terminal server with a Win2016 DC.
I'd be grateful for any help, thanks!
来源:https://stackoverflow.com/questions/51947828/windows-credential-provider-password-expired-while-desktop-locked