C＃，针对活动目录的身份验证

Question

I am using PrincipalContext (from the System.DirectoryServices.AccountManagement namespace) for authentication in my application against Active Directory (I am using the ValidateCredentials function).

The authentication works fine, when I am resetting a user password in Active Directory and forcing him to change password in the next login I can't authenticate the user.

I tried to change the way that I am doing authentication, I used LdapConnection (namespace System.DirectoryServices.Protocols ), authentication worked ok, when I reset the user password and force the user to change password in the next login, I can't authenticate this user, if I am only resetting the password and not forcing the user to change password at the next login, I can authenticate the user.

I tested the same scenario with a different active directory and it worked in all scenarios.

Is it possible that Active Directory is preventing me from authenticate through code, when user must change password in the next login flag is true ?

Answer 1

You've answered your own question really, when "User must change password at next logon" is set in active directory, the user can only authenticate interactively from the Windows UI in order to set a new password, they cannot be authenticated in the way you require.

If you wanted to get it working you would need to add functionality to your application to detected when a user much change their password and provide means to do so prior to authentication. This would require handling of expired passwords as well as instances where changing the password was forced in the way you describe.