Re: PasswordFilter and ASP.NET
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 06/27/05
- Next message: Sara Fonseca: "Sign a activex control"
- Previous message: Antonio Ruiz Martínez: "advapi32.dll patch Windows XP service pack 2"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Jun 2005 09:29:39 -0400
No clue, I haven't played with it. I bookmarked (somewhat poorly it would seem)
it in my head and moved on to what I was really looking for. I expect it will
require a K3 server holding the policy as well since that server will need to
invoke the proper functions to test complexity. It isn't as simple as just
looking at the set policy.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Joe Kaplan (MVP - ADSI) wrote: > Wow, that is a cool function. I'm glad to see it too. > > It looks like it requires 2003 to invoke it locally, but do you know if it > requires 2003 DCs or if it works on 2K DCs? The docs aren't clear on that > point. > > Joe K. > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:OLBtgineFHA.2844@TK2MSFTNGP14.phx.gbl... > >>I finally remembered the API call.... >> >>It is NetValidatePasswordPolicy. It is new with Windows Server 2003. >> >>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp >> >> >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >>Joe Richards [MVP] wrote: >> >>>There is actually an API call for checking if a password would fail >>>policy that is new but I will be darned if I can find it right now. I was >>>completely shocked when I read about it. I am not sure if it checks >>>history though, I think it only checks complexity, etc. If someone wants >>>to write external history checking, it better be with a one way hashing >>>mechanism, not by storing old passwords. >>> >>> >>> >>>-- >>>Joe Richards Microsoft MVP Windows Server Directory Services >>>www.joeware.net >>> >>> >>>Joe Kaplan (MVP - ADSI) wrote: >>> >>> >>>>Hmm, I'm pretty sure that the password filter mechanism doesn't allow >>>>you to check password history, but I may be wrong about that. I think >>>>the only way to do that is to try to change the password and let the DC >>>>tell you what the problem was. >>>> >>>>I agree that you don't want do option B as then you become an incredibly >>>>inviting point of failure for hackers instead of leaving that to the DC >>>>and letting it be Microsoft's (and the admin's) problem. >>>> >>>>A lot of the password policy you can actually read by querying the DC. >>>>For example, you can get length requirements, min and max age and can >>>>determine whether password complexity is enabled and how many passwords >>>>are stored in history. >>>> >>>>You might consider just doing some syntax validation, checking the >>>>policy requirements and then trapping the errors from the DC if the >>>>password is rejected on submission. However, I don't know the >>>>requirements of what you are trying to build, so I don't know if that >>>>would be adequate for you. >>>> >>>>Joe K. >>>> >>>>"Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >>>>news:%239qMSROeFHA.1356@TK2MSFTNGP10.phx.gbl... >>>> >>>> >>>>>Yes, we are simply trying to prevalidate. Good point about ASP.NET and >>>>>the DC not being on the same machine, but the problem remains. We need >>>>>to prevalidate against the default policy, including that the new >>>>>password isn't on the list of previously used passwords. So unless >>>>>there is something I can call to say "Is this acceptable as a new >>>>>password" I'm going to end up having to a) re-implement the code for >>>>>validating the password and b) creating my own password store to track >>>>>the old passwords. Both are bad, and b is insane. So there must be a >>>>>better solution. >>>>> >>>>>-- >>>>>Hal Berenson, President >>>>>PredictableIT, LLC >>>>>"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> >>>>>wrote in message news:uSDeAFAeFHA.2880@TK2MSFTNGP10.phx.gbl... >>>>> >>>>> >>>>>>Can you explain what you mean when you say you need to call this from >>>>>>ASP.NET? The password filter dll is installed on the domain >>>>>>controller (which hopefully is never running ASP.NET), so this doesn't >>>>>>make much sense to me as stated. >>>>>> >>>>>>Are you simply trying to prevalidate a password before trying to set >>>>>>it as part of a web application to prevent errrors from the DC when >>>>>>you actually try the write operation? >>>>>> >>>>>>If that is the case, I think this would be hard to do with arbitrary >>>>>>password filters. If they are using the default password policy, you >>>>>>can actually read the password policy from the domain in question and >>>>>>"know" how to validate passwords against that. >>>>>> >>>>>>Joe K. >>>>>> >>>>>>"Hal Berenson" <hberenson@scalabilityexperts.com> wrote in message >>>>>>news:OkShw59dFHA.3932@TK2MSFTNGP12.phx.gbl... >>>>>> >>>>>> >>>>>>>We have an automated management tool that needs to validate passwords >>>>>>>against the default password filter before creating or updating user >>>>>>>accounts. I see that the PasswordFilter API in the platform SDK does >>>>>>>this, but we need to call this API from ASP.NET. Is there a sample >>>>>>>somewhere that shows how to do this? >>>>>>> >>>>>>>Thanks! >>>>>>> >>>>>>>-- >>>>>>>Hal Berenson, President >>>>>>>PredictableIT, LLC >>>>>>> >>>>>> >>>>>> >>>> > >
- Next message: Sara Fonseca: "Sign a activex control"
- Previous message: Antonio Ruiz Martínez: "advapi32.dll patch Windows XP service pack 2"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: PasswordFilter and ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
