0

I’m working in a scenario where the user password is already expired in Active Directory. I’m trying to check if the user has entered the valid username and corresponding valid but expired password or not. If the user enters the valid user name and correct expired password, I’ll be redirecting them to a page where they can reset the password. However, if the user enters wrong expired password, then the user should be notified with standard message UserName and or password is not correct. I checked online and they are talking about using validatecredentials method after setting pwdLastSet to -1 to disable user must change password at next logon.

How to check AD user credentials when the user password is expired or "user must change password at next logon"

Will this approach allows me to check the validity of the expired password? I tried this approach and it does not seem to be working for me.

Community
  • 1
  • 1
user1072578
  • 71
  • 2
  • 7

1 Answers1

1

Yup - the ValidateCredentials API gives too many false positives.

This is something of a black art but you can check User-Account-Control attribute and ms-DS-User-Account-Control-Computed attribute both of which have "Password Expired" bits.

I normally use the above but some people suggest using the Windows API directly - refer Active Directory (LDAP) - Check account locked out / Password expired.

Community
  • 1
  • 1
rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Hi nzpcmad, I tried to use if (!LogonUser(user, domain, pass, LogonTypes.Network, LogonProviders.Default, out token)) { errorCode = Marshal.GetLastWin32Error(); success = false; } within a try catch block. I received error code as mentioned in the link you provided (LDAP-Check account ..). However, when I disabled the user and tried to logon, irespective of right or wrong password, I'm getting the same error code ie 1331. I was expecting 1326 when wrong password was provided. Did I miss anything? – user1072578 May 01 '13 at 18:43
  • That sounds correct - 1331 is ERROR_ACCOUNT_DISABLED. I'm pretty sure that the password check is at the end of the chain i.e. the code checks for disabled, lockout etc. before checking the validity of the password. – rbrayb May 01 '13 at 19:12
  • But the documentation for the error code tells, http://www-01.ibm.com/support/docview.wss?uid=swg21290631, Returns 1331 only when presented with valid username and password/credential. In my case, I'm getting 1331 even when the password is wrong.I expect 1326 error code when I use correct username and wrong password. At least I'm getting 1326 in one of the old servers where similar functionality is implemented. – user1072578 May 01 '13 at 19:40
  • That's IBM documentation - see http://support.microsoft.com/kb/155012 - makes no mention of this. – rbrayb May 01 '13 at 20:25
  • Well then, I believe I have to live with it. Thank you nzpcmad for your prompt response. – user1072578 May 01 '13 at 21:41