Re: PasswordFilter and ASP.NET
From: Hal Berenson (hberenson_at_predictableit.com)
Date: 06/26/05
- Previous message: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- In reply to: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 12:37:36 -0600
Thanks!!
-- Hal Berenson, President PredictableIT, LLC "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message news:OLBtgineFHA.2844@TK2MSFTNGP14.phx.gbl... >I finally remembered the API call.... > > It is NetValidatePasswordPolicy. It is new with Windows Server 2003. > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp > > > > -- > Joe Richards Microsoft MVP Windows Server Directory Services > www.joeware.net > > > Joe Richards [MVP] wrote: >> There is actually an API call for checking if a password would fail >> policy that is new but I will be darned if I can find it right now. I was >> completely shocked when I read about it. I am not sure if it checks >> history though, I think it only checks complexity, etc. If someone wants >> to write external history checking, it better be with a one way hashing >> mechanism, not by storing old passwords. >> >> >> >> -- >> Joe Richards Microsoft MVP Windows Server Directory Services >> www.joeware.net >> >> >> Joe Kaplan (MVP - ADSI) wrote: >> >>> Hmm, I'm pretty sure that the password filter mechanism doesn't allow >>> you to check password history, but I may be wrong about that. I think >>> the only way to do that is to try to change the password and let the DC >>> tell you what the problem was. >>> >>> I agree that you don't want do option B as then you become an incredibly >>> inviting point of failure for hackers instead of leaving that to the DC >>> and letting it be Microsoft's (and the admin's) problem. >>> >>> A lot of the password policy you can actually read by querying the DC. >>> For example, you can get length requirements, min and max age and can >>> determine whether password complexity is enabled and how many passwords >>> are stored in history. >>> >>> You might consider just doing some syntax validation, checking the >>> policy requirements and then trapping the errors from the DC if the >>> password is rejected on submission. However, I don't know the >>> requirements of what you are trying to build, so I don't know if that >>> would be adequate for you. >>> >>> Joe K. >>> >>> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >>> news:%239qMSROeFHA.1356@TK2MSFTNGP10.phx.gbl... >>> >>>> Yes, we are simply trying to prevalidate. Good point about ASP.NET and >>>> the DC not being on the same machine, but the problem remains. We need >>>> to prevalidate against the default policy, including that the new >>>> password isn't on the list of previously used passwords. So unless >>>> there is something I can call to say "Is this acceptable as a new >>>> password" I'm going to end up having to a) re-implement the code for >>>> validating the password and b) creating my own password store to track >>>> the old passwords. Both are bad, and b is insane. So there must be a >>>> better solution. >>>> >>>> -- >>>> Hal Berenson, President >>>> PredictableIT, LLC >>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> >>>> wrote in message news:uSDeAFAeFHA.2880@TK2MSFTNGP10.phx.gbl... >>>> >>>>> Can you explain what you mean when you say you need to call this from >>>>> ASP.NET? The password filter dll is installed on the domain >>>>> controller (which hopefully is never running ASP.NET), so this doesn't >>>>> make much sense to me as stated. >>>>> >>>>> Are you simply trying to prevalidate a password before trying to set >>>>> it as part of a web application to prevent errrors from the DC when >>>>> you actually try the write operation? >>>>> >>>>> If that is the case, I think this would be hard to do with arbitrary >>>>> password filters. If they are using the default password policy, you >>>>> can actually read the password policy from the domain in question and >>>>> "know" how to validate passwords against that. >>>>> >>>>> Joe K. >>>>> >>>>> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >>>>> news:OkShw59dFHA.3932@TK2MSFTNGP12.phx.gbl... >>>>> >>>>>> We have an automated management tool that needs to validate passwords >>>>>> against the default password filter before creating or updating user >>>>>> accounts. I see that the PasswordFilter API in the platform SDK does >>>>>> this, but we need to call this API from ASP.NET. Is there a sample >>>>>> somewhere that shows how to do this? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> -- >>>>>> Hal Berenson, President >>>>>> PredictableIT, LLC >>>>>> >>>>> >>>>> >>>> >>> >>>
- Previous message: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- In reply to: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
