Re: PasswordFilter and ASP.NET
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 06/26/05
- Next message: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Previous message: lelteto: "RE: What about beginners?"
- In reply to: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Next in thread: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Reply: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 13:58:14 -0400
I finally remembered the API call....
It is NetValidatePasswordPolicy. It is new with Windows Server 2003.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Joe Richards [MVP] wrote: > There is actually an API call for checking if a password would fail > policy that is new but I will be darned if I can find it right now. I > was completely shocked when I read about it. I am not sure if it checks > history though, I think it only checks complexity, etc. If someone wants > to write external history checking, it better be with a one way hashing > mechanism, not by storing old passwords. > > > > -- > Joe Richards Microsoft MVP Windows Server Directory Services > www.joeware.net > > > Joe Kaplan (MVP - ADSI) wrote: > >> Hmm, I'm pretty sure that the password filter mechanism doesn't allow >> you to check password history, but I may be wrong about that. I think >> the only way to do that is to try to change the password and let the >> DC tell you what the problem was. >> >> I agree that you don't want do option B as then you become an >> incredibly inviting point of failure for hackers instead of leaving >> that to the DC and letting it be Microsoft's (and the admin's) problem. >> >> A lot of the password policy you can actually read by querying the >> DC. For example, you can get length requirements, min and max age and >> can determine whether password complexity is enabled and how many >> passwords are stored in history. >> >> You might consider just doing some syntax validation, checking the >> policy requirements and then trapping the errors from the DC if the >> password is rejected on submission. However, I don't know the >> requirements of what you are trying to build, so I don't know if that >> would be adequate for you. >> >> Joe K. >> >> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >> news:%239qMSROeFHA.1356@TK2MSFTNGP10.phx.gbl... >> >>> Yes, we are simply trying to prevalidate. Good point about ASP.NET >>> and the DC not being on the same machine, but the problem remains. >>> We need to prevalidate against the default policy, including that the >>> new password isn't on the list of previously used passwords. So >>> unless there is something I can call to say "Is this acceptable as a >>> new password" I'm going to end up having to a) re-implement the code >>> for validating the password and b) creating my own password store to >>> track the old passwords. Both are bad, and b is insane. So there >>> must be a better solution. >>> >>> -- >>> Hal Berenson, President >>> PredictableIT, LLC >>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> >>> wrote in message news:uSDeAFAeFHA.2880@TK2MSFTNGP10.phx.gbl... >>> >>>> Can you explain what you mean when you say you need to call this >>>> from ASP.NET? The password filter dll is installed on the domain >>>> controller (which hopefully is never running ASP.NET), so this >>>> doesn't make much sense to me as stated. >>>> >>>> Are you simply trying to prevalidate a password before trying to set >>>> it as part of a web application to prevent errrors from the DC when >>>> you actually try the write operation? >>>> >>>> If that is the case, I think this would be hard to do with arbitrary >>>> password filters. If they are using the default password policy, >>>> you can actually read the password policy from the domain in >>>> question and "know" how to validate passwords against that. >>>> >>>> Joe K. >>>> >>>> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >>>> news:OkShw59dFHA.3932@TK2MSFTNGP12.phx.gbl... >>>> >>>>> We have an automated management tool that needs to validate >>>>> passwords against the default password filter before creating or >>>>> updating user accounts. I see that the PasswordFilter API in the >>>>> platform SDK does this, but we need to call this API from ASP.NET. >>>>> Is there a sample somewhere that shows how to do this? >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> Hal Berenson, President >>>>> PredictableIT, LLC >>>>> >>>> >>>> >>> >> >>
- Next message: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Previous message: lelteto: "RE: What about beginners?"
- In reply to: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Next in thread: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Reply: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
