none
Active Directory Issue / VB.NET bug RRS feed

  • Question

  • I have a vb.net program that sets a user's password in AD. It also checks / authenticates  that user/ password with some other code. The problem is I can use either password and both return valid.  After about 5 minutes, the old password then starts returning invalid. The user account on the AD only accepts the new password when I try an actual windows login, the old is rejected instantly. Looks like VB.NET / Framework or something is caching something when it shouldn't. These computers ARE NOT joined to the domain itself, I'm simply checking a domain account. I can reproduce it across any computer, and I END the program each time I try the test.

    Code snippit that sets password

    Dim userEntry As DirectoryEntry = result.GetDirectoryEntry()
    If userEntry IsNot Nothing Then
    	userEntry.Invoke("ChangePassword", New Object() {currentPassword, newPassword})
    	userEntry.CommitChanges()
    	userEntry.Close()
    	userEntry.Dispose()
    End If

    Code to authenticate password. It will throw and exception  at de.RefreshCache if the user/password combo is invalid.

     Dim de As New DirectoryServices.DirectoryEntry("LDAP://testdomain.local", username, password,
         DirectoryServices.AuthenticationTypes.Secure Or
         DirectoryServices.AuthenticationTypes.Sealing Or
         DirectoryServices.AuthenticationTypes.Signing)
      	de.RefreshCache()
            de.Close()
            de.Dispose()

    This works fine but I can use both passwords (old and changed) for about 5 minutes and then the old becomes invalid. I need the old one to fail immediately.

    What's going on?

    Thanks for your time..

    Friday, September 27, 2019 3:45 PM

All replies

  • Hi,

    After reviewing the data, I find that the old password has a lifetime of 5 minutes under the server 2008 AD, and the old password has a lifetime of 60 minutes under the server 2003 AD.

    This 5 minutes is to prevent the AD synchronization delay problem. Prevents the situation where the number of DC is relatively large and there is no successful update to the password in the site where the user logs in.

    By this way, the old password is still available even if the new password does not take effect. In some cases where the network is not efficient, it takes a certain amount of time for the password to be synchronized. In view of this consideration, our old password has the concept of enabling a time to live.

    As for his modification method, you can check the official documentation to modify the lifetime.

    Hope it will be helpful.

    Best Regards,

    Julie


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, October 2, 2019 6:12 AM
    Moderator