Re: PasswordFilter and ASP.NET
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/25/05
- Previous message: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- In reply to: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 24 Jun 2005 22:12:06 -0500
Hmm, I'm pretty sure that the password filter mechanism doesn't allow you to
check password history, but I may be wrong about that. I think the only way
to do that is to try to change the password and let the DC tell you what the
problem was.
I agree that you don't want do option B as then you become an incredibly
inviting point of failure for hackers instead of leaving that to the DC and
letting it be Microsoft's (and the admin's) problem.
A lot of the password policy you can actually read by querying the DC. For
example, you can get length requirements, min and max age and can determine
whether password complexity is enabled and how many passwords are stored in
history.
You might consider just doing some syntax validation, checking the policy
requirements and then trapping the errors from the DC if the password is
rejected on submission. However, I don't know the requirements of what you
are trying to build, so I don't know if that would be adequate for you.
Joe K.
"Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message
news:%239qMSROeFHA.1356@TK2MSFTNGP10.phx.gbl...
> Yes, we are simply trying to prevalidate. Good point about ASP.NET and
> the DC not being on the same machine, but the problem remains. We need to
> prevalidate against the default policy, including that the new password
> isn't on the list of previously used passwords. So unless there is
> something I can call to say "Is this acceptable as a new password" I'm
> going to end up having to a) re-implement the code for validating the
> password and b) creating my own password store to track the old passwords.
> Both are bad, and b is insane. So there must be a better solution.
>
> --
> Hal Berenson, President
> PredictableIT, LLC
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:uSDeAFAeFHA.2880@TK2MSFTNGP10.phx.gbl...
>> Can you explain what you mean when you say you need to call this from
>> ASP.NET? The password filter dll is installed on the domain controller
>> (which hopefully is never running ASP.NET), so this doesn't make much
>> sense to me as stated.
>>
>> Are you simply trying to prevalidate a password before trying to set it
>> as part of a web application to prevent errrors from the DC when you
>> actually try the write operation?
>>
>> If that is the case, I think this would be hard to do with arbitrary
>> password filters. If they are using the default password policy, you can
>> actually read the password policy from the domain in question and "know"
>> how to validate passwords against that.
>>
>> Joe K.
>>
>> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message
>> news:OkShw59dFHA.3932@TK2MSFTNGP12.phx.gbl...
>>> We have an automated management tool that needs to validate passwords
>>> against the default password filter before creating or updating user
>>> accounts. I see that the PasswordFilter API in the platform SDK does
>>> this, but we need to call this API from ASP.NET. Is there a sample
>>> somewhere that shows how to do this?
>>>
>>> Thanks!
>>>
>>> --
>>> Hal Berenson, President
>>> PredictableIT, LLC
>>>
>>
>>
>
>
- Previous message: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- In reply to: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
