2

I am going to determine if a LADP password has been expired or not?

I can query a user information from LDAP to see whether it is expired or not, but Before this checking I want to be assure that the current password which user entered is correct. 

using (HostingEnvironment.Impersonate())
            {
                // set up domain context
                using (var ctx = new PrincipalContext(ContextType.Domain))
                {
                    try
                    {

* I expect this section check whether current user name and password are correct or not. But for Expired Password it does not work. Before Checking password expiration I want to check the current user and password are correct.

                        details.IsAuthenticate = ctx.ValidateCredentials(username, password);
                    }
                    catch (Exception exp)
                    {

                        throw exp;
                    }
                    // find the user
                    var user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username);

                    if (user != null)
                    {
                        // get the underlying DirectoryEntry object from the UserPrincipal
                        details.IsUserExist = true;
                        var de = (DirectoryEntry)user.GetUnderlyingObject();

                        // now get the UserEntry object from the directory entry
                        var ue = (ActiveDs.IADsUser)de.NativeObject;

                        details.IsAccountLocked = ue.IsAccountLocked;
                        details.IsAccountActive = !ue.AccountDisabled;
                        details.PasswordExpirationDate = ue.PasswordExpirationDate;
                        // details.PasswordLastChanged = ue.PasswordLastChanged;
                        details.HasPasswordExpired = ue.PasswordExpirationDate <= DateTime.Now;
                        details.PasswordNeverExpired = user.PasswordNeverExpires;

                        if (user.PasswordNeverExpires)
                        {
                            details.HasPasswordExpired = false;
                        }

                        if (user.LastPasswordSet.HasValue == false && user.PasswordNeverExpires == false)
                        {
                            details.ForceChangePassword = true;
                        }
                        else
                        {
                            details.ForceChangePassword = false;
                        }

                    }
Hedayat Abedijoo
  • 67
  • 2
  • 10

1 Answers1

0

I found out my answer.

Rather than using PrincipalContext object I tried another way.

                        try
                        {
                            LdapConnection connection = new LdapConnection(ctx.ConnectedServer);
                            NetworkCredential credential = new NetworkCredential(username, password);
                            connection.Credential = credential;
                            connection.Bind();
                            //Console.WriteLine("logged in");
                        }
                        catch (LdapException lexc)
                        {
                            String error = lexc.ServerErrorMessage;
                            Console.WriteLine(lexc);
                        }
                        catch (Exception exc)
                        {
                            Console.WriteLine(exc);
                        }

And also by looking at the catch's result you can do whatever you want.

525​ user not found

52e​ invalid credentials

530​ not permitted to logon at this time​

531​ not permitted to logon at this workstation​

532​ password expired ​

533​ account disabled ​

701​ account expired ​

773​ user must reset password ​

775​ user account locked

/*******************************************************/

Validate a username and password against Active Directory?

http://social.technet.microsoft.com/Forums/windowsserver/en-US/474abb8f-cfc6-4cac-af79-c3e80e80291f/ldap-authentication-error-ldap-error-code-49-80090308-ldaperr-dsid0c090334-comment?forum=winserverDS

Community
  • 1
  • 1
Hedayat Abedijoo
  • 67
  • 2
  • 10