如何在用户密码过期或“用户下次登录时必须更改密码"时检查 AD 用户凭据

How to check AD user credentials when the user password is expired or quot;user must change password at next logonquot;(如何在用户密码过期或“用户下次登录时必须更改密码时检查 AD 用户凭据)
本文介绍了如何在用户密码过期或“用户下次登录时必须更改密码"时检查 AD 用户凭据的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我想知道是否有任何 .Net 方法来验证 Active Directory 用户凭据,即使用户的密码已过期或用户设置了用户必须在下次登录时更改密码".我已经尝试过 PrincipalContext.ValidateCredential,这对我的用户返回 false.我也尝试过 LDAP 绑定,但也不起作用.我的目的是对用户进行身份验证,然后在他的密码过期或他必须在下次登录时更改密码时用更改密码对话框提示他.

I would like to find out if there is any .Net way to validate an Active Directory user credential even if the user's password is expired or the user has "user must change password at next logon" set. I have tried PrincipalContext.ValidateCredential and this returns false for my user. I also tried Ldap Bind and that does not work either. My purpose is to authenticate the user and then prompt him with a change password dialog if his password is expired or he has to change passwored at next login.

推荐答案

我们的设置中有多个 AD 控制器,并且 PrincipalContext.ValidateCredentials 方法将始终在 Windows 2003 服务器上的 AD 控制器上返回 false下次登录时更改密码"复选框已选中.

We have several AD controllers in our setup and the PrincipalContext.ValidateCredentials method would always return false on the AD controllers on Windows 2003 servers on users with the "user must change password at next logon" checkbox checked.

但是在 Windows 2008 R2 服务器上,即使选中了复选框,如果凭据有效,它也会返回 true.

But on the ones on Windows 2008 R2 servers, it would return true if the creds were valid even if the checkbox was checked.

所以我只是确保我的代码运行在一台 Windows 2008 R2 服务器上,这就成功了.

So I just made sure my code was hitting one of the windows 2008 R2 servers and that did the trick.

我确实为 2003 服务器开发了一个解决方案(在我意识到事情只能在其他服务器上工作之前).代码如下:

I did work on a solution for the 2003 servers (before I realized things would just work on the other ones). Here is the code:

var adContext = new PrincipalContext(ContextType.Domain, adLocation, adContainer, adAdminUsername, adAdminPassword);

var initialValidation = adContext.ValidateCredentials(username, password);
Console.WriteLine("Initial validation returned: " + initialValidation);

if (!initialValidation)
{
    // maybe validation failed because "user must change password at next logon".
    // let's see if that is the case.

    var user = UserPrincipal.FindByIdentity(adContext, username);
    if (user.LastPasswordSet == null)
    {
        // the user must change his password at next logon. So this might be
        // why validation returned false

        // uncheck the "change password" checkbox and attempt validation again

        var deUser = user.GetUnderlyingObject() as DirectoryEntry;
        var property = deUser.Properties["pwdLastSet"];
        property.Value = -1;
        deUser.CommitChanges();

        // property was unset, retry validation
        adContext.ValidateCredentials(username, password);
        Console.WriteLine("Secondary validation returned: " + adContext.ValidateCredentials(username, password));

        // re check the checkbox
        property.Value = 0;
        deUser.CommitChanges();
  }
}

这篇关于如何在用户密码过期或“用户下次登录时必须更改密码"时检查 AD 用户凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

Finding Active Directory users from 2 OU(从 2 个 OU 中查找 Active Directory 用户)
How to set a binary attribute when using a AccountManagement Extension Class?(使用 AccountManagement 扩展类时如何设置二进制属性?)
Getting last Logon Time on Computers in Active Directory(在 Active Directory 中的计算机上获取上次登录时间)
customer-configurable asp.net web site security for fine-grained control of page and button access(客户可配置的 asp.net 网站安全性,用于对页面和按钮访问进行细粒度控制)
Active Directory - Roles of a user(Active Directory - 用户的角色)
How to connect to Active Directory via LDAPS in C#?(如何在 C# 中通过 LDAPS 连接到 Active Directory?)