2

I am using Active Directory as a data store for the users of my website. I have Active Directory throwing the following exception in case password does not meet any password policy constraint..

-->The password supplied is invalid. Passwords must conform to the password strength requirements configured for the default provider.

Can I customize this error messages/notifications in any way to be them more specific??

What I want is that - If 'password history' is the constraint that is violated then the error message should say so (ex. New password should be different than the last 10 used passwords..)

Any help is appreciated.

abatishchev
  • 98,240
  • 88
  • 296
  • 433
GirishK
  • 1,823
  • 3
  • 16
  • 23
  • 1
    Most of those security related messages are "unspecific" for a reason - you don't want to give a possible attacker any hints as to what is wrong. I would leave those "as is" ... – marc_s May 24 '11 at 07:25
  • 1
    Hmm .. Makes sense. But is there no way to edit those ?? – GirishK May 24 '11 at 07:37

2 Answers2

3

you can catch that and throw you own message

try {
   // your error will probably appear here
    if (MembershipService.ValidateUser(usr, pwd))
    {
        ...
    }
}
catch(Exception ex)
{    
    // Let's see if we have Inner Exceptions to deal
    if(ex.InnerException != null)
        while(ex.InnerException != null)
            ex = ex.InnerException;

    // Now, let's check our exception
    if(ex.Message.StartsWith("The password supplied is invalid. Passwords must conform to the password strength requirements configured for the default provider."))
    {
        throw new Exception("My custom message goes here");
    }

    // Let's throw the original one 
    throw ex;
}

Is this what you are trying to accomplish?

balexandre
  • 73,608
  • 45
  • 233
  • 342
  • @balexandre - Thanks for the reply. But my basic problem is, I get the same exception and error message for 3 password constraint (passwd history, complexity requirement , min length ). So I cant tell them what exactly was wrong?? Is there any way i can do it?? – GirishK May 24 '11 at 07:34
  • Does any of your `Exception`s have Inner Exceptions ? - Code Updated – balexandre May 24 '11 at 07:41
  • Yes they all have same inner exception - {"A constraint violation occurred. (Exception from HRESULT: 0x8007202F)"} – GirishK May 24 '11 at 08:30
  • If what you get is exactly the same, then you can't do nothing on the C# code end, maybe there's a policy to have that in more detail? Ask on http://serverfault.com/ But I will have to agree with `marc_s`, those errors can be the same on propose. – balexandre May 24 '11 at 08:32
  • Yup.. Finally went with the same thing, just configured my message to be more specific.. – GirishK May 24 '11 at 11:51
0

Well you should see the exact type of Exception that is thrown, and setup a specific catch for this exception.

If you see this link, http://msdn.microsoft.com/en-us/library/0yd65esw.aspx, you will see that you can catch multiple specific Exceptions.

You could then return whatever msg you want to the user.

Theofanis Pantelides
  • 4,724
  • 7
  • 29
  • 49