locked
ADAM/AD LDS DirectoryEntry.Bind and ADsGetLastError on Windows 2003 RRS feed

  • Question

  • User1579121319 posted

    Hi,

    We currently have a requirement to authenticate ADAM users against an ADAM instance and  we have come across an issue when authenticating ADAM user accounts whose password are either [Expired] or have the [Password must be changed on next logon] flag set. The issue has only manifested itself on Windows Server 2003 environments.

    Setup: Windows Server 2003 (Enterprise) with an ADAM instance containing an ADAM user (e.g. user1)

    The following is a code snippet which binds to the ADAM instance to validate the user’s credentials:

                using (DirectoryEntry en = new DirectoryEntry("LDAP://localhost:389/CN=TestPartition,DC=TestDomain", "user1", "password", AuthenticationTypes.None))
                {
                    en.RefreshCache(); //Attempt to bind 
                    Console.WriteLine("Success");
                }

    Attempting the above code when User1 has an [Expired] password or has the [Password must be changed on next logon] flag will throw an exception. On Windows Server 2008+, Windows 7, Windows 8 environments, the exception thrown will be a DirectoryServicesCOMException containing an ExtendedErrorMessage property (http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryservicescomexception.extendederrormessage%28v=vs.110%29.aspx). This property can be parsed to determine an error code which explains why the bind failed (http://social.technet.microsoft.com/Forums/windowsserver/en-US/474abb8f-cfc6-4cac-af79-c3e80e80291f/ldap-authentication-error-ldap-error-code-49-80090308-ldaperr-dsid0c090334-comment?forum=winserverDS). If the bind failed with error code 532 (password expired) or 773 (user must reset password) we know that the credentials are correct but the user must change his/her password; in which case we would show the necessary prompts.

    However, on a Windows Server 2003 environment the exception thrown in such circumstances will be the generic COMException (0x8007052E) Logon failure: unknown user name or bad password, which is the same exception thrown when the password is incorrect. The COMException does not contain information on why the bind failed and as a result I am unable to determine whether the credentials are correct or otherwise, for any ADAM user whose password is expired or must be reset.  We have tried this on multiple versions of Windows Server 2003 SP2 and all produce the same issue.


    In a bit more detail, we are aware that DirectoryEntry.Refresh() uses DirectoryEntry.Bind() which in turn uses the ADsGetLastError() Win32 function to retrieve the error.  We can confirm that on a Windows Server 2003 this function returns successfully (HResult = 0) but with no AD error code (lpError = 0) which is why the DirectoryEntry.Bind() throws a COMException rather than a DirectoryServicesCOMException. 

    Is there any particular reason why this is happening?  Is there any way we can validate an ADAM user’s credentials whose password is expired or must be reset?

    Thanks.

    Thursday, August 14, 2014 8:48 AM

All replies

  • User-166373564 posted

    Hi ZLeonC,

    Welcome to asp.net forum.

     Is there any way we can validate an ADAM user’s credentials whose password is expired or must be reset?

    According to your description above, it seems that this issue is related to expired password.

    For this issue, I'd like to suggest you check whether the password is expires or not first.

    Code snippet:

    string attribName = "msDS-User-Account-Control-Computed";
    user.RefreshCache(new string[] { attribName });
    
    const int UF_LOCKOUT = 0x0010;
    
    int userFlags = (int)user.Properties[attribName].Value;
    
    if(userFlags & UF_LOCKOUT == UF_LOCKOUT) 
    {
       // if this is the case, the account is locked out
    }

    Further information:

    Active Directory (LDAP) - Check account locked out / Password expired 

    Please let me know if there is anything that I can do to help.

    Best regards

    Angie

    Friday, August 15, 2014 2:49 AM
  • User1579121319 posted

    Hi Angie,

    Thanks for your reply.

    Assume User1 is expired and you have been provided an incorrect password during login. Checking for the msDS-User-Account-Control-Computed attribute will give you a false positive; i.e. you would attribute the failure to the account being expired when in fact it could have been a wrong password. On Windows Server 2008 the exception returned contains enough information to assess this failure but on Windows Server 2003 this information is not available.

    I hope this is a bit more clear.

    Thanks!

    Leon

    Monday, August 18, 2014 3:51 AM
  • User1508394307 posted

    What message do you get on 2008+ in case of expired account and wrong password in same time? 

    Friday, September 19, 2014 4:06 AM