Re: PasswordFilter and ASP.NET
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 06/26/05
- Next message: Frederic P.: "GetNamedSecurityInfo VS GetFileSecurity"
- Previous message: Joe Richards [MVP]: "Re: How to require a password to stop an NT service?"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 25 Jun 2005 19:33:49 -0400
There is actually an API call for checking if a password would fail policy that
is new but I will be darned if I can find it right now. I was completely shocked
when I read about it. I am not sure if it checks history though, I think it only
checks complexity, etc. If someone wants to write external history checking, it
better be with a one way hashing mechanism, not by storing old passwords.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Joe Kaplan (MVP - ADSI) wrote: > Hmm, I'm pretty sure that the password filter mechanism doesn't allow you to > check password history, but I may be wrong about that. I think the only way > to do that is to try to change the password and let the DC tell you what the > problem was. > > I agree that you don't want do option B as then you become an incredibly > inviting point of failure for hackers instead of leaving that to the DC and > letting it be Microsoft's (and the admin's) problem. > > A lot of the password policy you can actually read by querying the DC. For > example, you can get length requirements, min and max age and can determine > whether password complexity is enabled and how many passwords are stored in > history. > > You might consider just doing some syntax validation, checking the policy > requirements and then trapping the errors from the DC if the password is > rejected on submission. However, I don't know the requirements of what you > are trying to build, so I don't know if that would be adequate for you. > > Joe K. > > "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message > news:%239qMSROeFHA.1356@TK2MSFTNGP10.phx.gbl... > >>Yes, we are simply trying to prevalidate. Good point about ASP.NET and >>the DC not being on the same machine, but the problem remains. We need to >>prevalidate against the default policy, including that the new password >>isn't on the list of previously used passwords. So unless there is >>something I can call to say "Is this acceptable as a new password" I'm >>going to end up having to a) re-implement the code for validating the >>password and b) creating my own password store to track the old passwords. >>Both are bad, and b is insane. So there must be a better solution. >> >>-- >>Hal Berenson, President >>PredictableIT, LLC >>"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote >>in message news:uSDeAFAeFHA.2880@TK2MSFTNGP10.phx.gbl... >> >>>Can you explain what you mean when you say you need to call this from >>>ASP.NET? The password filter dll is installed on the domain controller >>>(which hopefully is never running ASP.NET), so this doesn't make much >>>sense to me as stated. >>> >>>Are you simply trying to prevalidate a password before trying to set it >>>as part of a web application to prevent errrors from the DC when you >>>actually try the write operation? >>> >>>If that is the case, I think this would be hard to do with arbitrary >>>password filters. If they are using the default password policy, you can >>>actually read the password policy from the domain in question and "know" >>>how to validate passwords against that. >>> >>>Joe K. >>> >>>"Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >>>news:OkShw59dFHA.3932@TK2MSFTNGP12.phx.gbl... >>> >>>>We have an automated management tool that needs to validate passwords >>>>against the default password filter before creating or updating user >>>>accounts. I see that the PasswordFilter API in the platform SDK does >>>>this, but we need to call this API from ASP.NET. Is there a sample >>>>somewhere that shows how to do this? >>>> >>>>Thanks! >>>> >>>>-- >>>>Hal Berenson, President >>>>PredictableIT, LLC >>>> >>> >>> >> > >
- Next message: Frederic P.: "GetNamedSecurityInfo VS GetFileSecurity"
- Previous message: Joe Richards [MVP]: "Re: How to require a password to stop an NT service?"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
