2

I would like to allow the current user to change their password (managed via active directory).

I would like to validate and then set their password in Active Directory (currently using the SetPassword invoke method).

My problem is validating the password so that it meets the complexity requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.

I'm already using a CompareValidator with two textboxes so I was thinking about adding a RegularExpressionValidator (source 1, source 2) but I'm not sure how to get it to work with the whole "three of four categories" thing:

RegularExpressionValidator revComplex = new RegularExpressionValidator();
revComplex.ControlToValidate = _txtPassword1.ID;
revComplex.ErrorMessage = "Password must have at least 7 characters. Characters should be from at least three of the following four groups: uppercase letter, lowercase letter, digit, or special characters  (for example, !, $, #, %).";
revComplex.ValidationExpression = @"^(?=.{7,})(?=.*[a-z])(?=.*[0-9])(?=.*[A-Z])(?!.*s).*$";

Surely someone has tried to do this before? How should I validate a user's password before sending it to Active Directory according to the local security policy?

Nat
  • 14,175
  • 5
  • 41
  • 64
Kit Menke
  • 7,046
  • 1
  • 32
  • 54
  • This is a bad candidate for regular expressions. – John Gietzen Feb 20 '11 at 21:44
  • Found someone trying to do a very similar thing: http://stackoverflow.com/questions/4992474/determine-ad-password-policy-programmatically @John: Agreed, which is why I thought I should ask this question. Maybe a CustomValidator? – Kit Menke Feb 20 '11 at 21:49
  • Yeah, a custom validator is almost certainly your best bet here. I do, however, agree with Tom's answer below, since it is more resilient to changing policies. – John Gietzen Feb 20 '11 at 21:52

2 Answers2

2

Imho, you can better use ChangePassword than SetPassword. That way, you require the user to specify his current (old) password. That may be interesting, because you can never be 100% sure that the user who is browsing your site is actually the user who is logged in.

Here's a link with more information: http://www.primaryobjects.com/CMS/Article66.aspx

You do not have to validate the password in advance. Just send it to AD in a try-catch, and if it's not validated, the reason why will be in the exception message.

Tom Vervoort
  • 5,028
  • 2
  • 22
  • 19
  • I'm +1 here, even though this is a bit of a non-answer. – John Gietzen Feb 20 '11 at 21:52
  • Yeah, I think I will probably switch to use ChangePassword. As for just catching the exception... I'm still testing (trying to overcome a weird ACCESS DENIED issue), but I'm not sure about how detailed the exception is. I would prefer to give the user more specific feedback as to why their new password is bad. – Kit Menke Feb 21 '11 at 14:19
  • After more research, it seems impossible to perform a reliable check without sending it to AD. This question had some helpful links as well: http://stackoverflow.com/questions/3225168/how-can-you-test-if-an-ad-password-will-meet-configured-complexity-requirements – Kit Menke Feb 22 '11 at 03:36
1

I found a way to diagnose the error in a bit more detail. It does not provided any feedback from AD, but we can perhaps create a mapping of the COM errors to a user friendly message.

This article provides more information about handling the possible COM errors:

http://www.ozkary.com/2015/03/active-directory-setpassword-or.html

I think more detail can be added for these COM errors:

0x800708c5 0x8007202f 0x8007052d 0x8007052f

ozkary
  • 2,436
  • 1
  • 21
  • 20