stackoom
  简体   繁体   中英

Validate new AD password according to local security policy?

 原文  2011-02-20 21:40:47       c#/ regex/ security/ sharepoint/ active-directory

Question

I would like to allow the current user to change their password (managed via active directory).

I would like to validate and then set their password in Active Directory (currently using the SetPassword invoke method ).

My problem is validating the password so that it meets the complexity requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.

I'm already using a CompareValidator with two textboxes so I was thinking about adding a RegularExpressionValidator ( source 1 , source 2 ) but I'm not sure how to get it to work with the whole "three of four categories" thing: 

RegularExpressionValidator revComplex = new RegularExpressionValidator();
revComplex.ControlToValidate = _txtPassword1.ID;
revComplex.ErrorMessage = "Password must have at least 7 characters. Characters should be from at least three of the following four groups: uppercase letter, lowercase letter, digit, or special characters  (for example, !, $, #, %).";
revComplex.ValidationExpression = @"^(?=.{7,})(?=.*[a-z])(?=.*[0-9])(?=.*[A-Z])(?!.*s).*$";

Surely someone has tried to do this before? How should I validate a user's password before sending it to Active Directory according to the local security policy?

2 answers

solution1
 2 ACCPTED  2011-02-20 21:49:08

Imho, you can better use ChangePassword than SetPassword. That way, you require the user to specify his current (old) password. That may be interesting, because you can never be 100% sure that the user who is browsing your site is actually the user who is logged in.

Here's a link with more information: http://www.primaryobjects.com/CMS/Article66.aspx

You do not have to validate the password in advance. Just send it to AD in a try-catch, and if it's not validated, the reason why will be in the exception message.

solution2
 1  2015-03-07 01:20:21

I found a way to diagnose the error in a bit more detail. It does not provided any feedback from AD, but we can perhaps create a mapping of the COM errors to a user friendly message.

This article provides more information about handling the possible COM errors:

http://www.ozkary.com/2015/03/active-directory-setpassword-or.html

I think more detail can be added for these COM errors:

0x800708c5 0x8007202f 0x8007052d 0x8007052f

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Determine AD password policy programmatically Reading local security policy Validate Windows password policy programmatically? How to validate Azure AD security token? Validate a username and password against AD exception How to Change Local Security Policy using .NET ASP.NET Core2 - Policy Based Azure AD security AD LDS ValidateCredentials gives false after enabling Password Policy Generate password for AD user account that meets complexity policy Search for a Local user in a local group that does not have Foreign Security policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM