Re: PasswordFilter and ASP.NET
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/26/05
- Next message: Nick: "RE: Smart card certificate store"
- Previous message: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- In reply to: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 15:03:23 -0500
Wow, that is a cool function. I'm glad to see it too.
It looks like it requires 2003 to invoke it locally, but do you know if it
requires 2003 DCs or if it works on 2K DCs? The docs aren't clear on that
point.
Joe K.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:OLBtgineFHA.2844@TK2MSFTNGP14.phx.gbl...
>I finally remembered the API call....
>
> It is NetValidatePasswordPolicy. It is new with Windows Server 2003.
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Joe Richards [MVP] wrote:
>> There is actually an API call for checking if a password would fail
>> policy that is new but I will be darned if I can find it right now. I was
>> completely shocked when I read about it. I am not sure if it checks
>> history though, I think it only checks complexity, etc. If someone wants
>> to write external history checking, it better be with a one way hashing
>> mechanism, not by storing old passwords.
>>
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Joe Kaplan (MVP - ADSI) wrote:
>>
>>> Hmm, I'm pretty sure that the password filter mechanism doesn't allow
>>> you to check password history, but I may be wrong about that. I think
>>> the only way to do that is to try to change the password and let the DC
>>> tell you what the problem was.
>>>
>>> I agree that you don't want do option B as then you become an incredibly
>>> inviting point of failure for hackers instead of leaving that to the DC
>>> and letting it be Microsoft's (and the admin's) problem.
>>>
>>> A lot of the password policy you can actually read by querying the DC.
>>> For example, you can get length requirements, min and max age and can
>>> determine whether password complexity is enabled and how many passwords
>>> are stored in history.
>>>
>>> You might consider just doing some syntax validation, checking the
>>> policy requirements and then trapping the errors from the DC if the
>>> password is rejected on submission. However, I don't know the
>>> requirements of what you are trying to build, so I don't know if that
>>> would be adequate for you.
>>>
>>> Joe K.
>>>
>>> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message
>>> news:%239qMSROeFHA.1356@TK2MSFTNGP10.phx.gbl...
>>>
>>>> Yes, we are simply trying to prevalidate. Good point about ASP.NET and
>>>> the DC not being on the same machine, but the problem remains. We need
>>>> to prevalidate against the default policy, including that the new
>>>> password isn't on the list of previously used passwords. So unless
>>>> there is something I can call to say "Is this acceptable as a new
>>>> password" I'm going to end up having to a) re-implement the code for
>>>> validating the password and b) creating my own password store to track
>>>> the old passwords. Both are bad, and b is insane. So there must be a
>>>> better solution.
>>>>
>>>> --
>>>> Hal Berenson, President
>>>> PredictableIT, LLC
>>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>>> wrote in message news:uSDeAFAeFHA.2880@TK2MSFTNGP10.phx.gbl...
>>>>
>>>>> Can you explain what you mean when you say you need to call this from
>>>>> ASP.NET? The password filter dll is installed on the domain
>>>>> controller (which hopefully is never running ASP.NET), so this doesn't
>>>>> make much sense to me as stated.
>>>>>
>>>>> Are you simply trying to prevalidate a password before trying to set
>>>>> it as part of a web application to prevent errrors from the DC when
>>>>> you actually try the write operation?
>>>>>
>>>>> If that is the case, I think this would be hard to do with arbitrary
>>>>> password filters. If they are using the default password policy, you
>>>>> can actually read the password policy from the domain in question and
>>>>> "know" how to validate passwords against that.
>>>>>
>>>>> Joe K.
>>>>>
>>>>> "Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message
>>>>> news:OkShw59dFHA.3932@TK2MSFTNGP12.phx.gbl...
>>>>>
>>>>>> We have an automated management tool that needs to validate passwords
>>>>>> against the default password filter before creating or updating user
>>>>>> accounts. I see that the PasswordFilter API in the platform SDK does
>>>>>> this, but we need to call this API from ASP.NET. Is there a sample
>>>>>> somewhere that shows how to do this?
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> --
>>>>>> Hal Berenson, President
>>>>>> PredictableIT, LLC
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
- Next message: Nick: "RE: Smart card certificate store"
- Previous message: Hal Berenson: "Re: PasswordFilter and ASP.NET"
- In reply to: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Next in thread: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Reply: Joe Richards [MVP]: "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
