Validate new AD password according to local securi

2020-04-18 09:06发布

I would like to allow the current user to change their password (managed via active directory).

I would like to validate and then set their password in Active Directory (currently using the SetPassword invoke method).

My problem is validating the password so that it meets the complexity requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.

I'm already using a CompareValidator with two textboxes so I was thinking about adding a RegularExpressionValidator (source 1, source 2) but I'm not sure how to get it to work with the whole "three of four categories" thing:

RegularExpressionValidator revComplex = new RegularExpressionValidator();
revComplex.ControlToValidate = _txtPassword1.ID;
revComplex.ErrorMessage = "Password must have at least 7 characters. Characters should be from at least three of the following four groups: uppercase letter, lowercase letter, digit, or special characters  (for example, !, $, #, %).";
revComplex.ValidationExpression = @"^(?=.{7,})(?=.*[a-z])(?=.*[0-9])(?=.*[A-Z])(?!.*s).*$";

Surely someone has tried to do this before? How should I validate a user's password before sending it to Active Directory according to the local security policy?

2条回答
小情绪 Triste *
2楼-- · 2020-04-18 09:51

Imho, you can better use ChangePassword than SetPassword. That way, you require the user to specify his current (old) password. That may be interesting, because you can never be 100% sure that the user who is browsing your site is actually the user who is logged in.

Here's a link with more information: http://www.primaryobjects.com/CMS/Article66.aspx

You do not have to validate the password in advance. Just send it to AD in a try-catch, and if it's not validated, the reason why will be in the exception message.

查看更多
女痞
3楼-- · 2020-04-18 09:57

I found a way to diagnose the error in a bit more detail. It does not provided any feedback from AD, but we can perhaps create a mapping of the COM errors to a user friendly message.

This article provides more information about handling the possible COM errors:

http://www.ozkary.com/2015/03/active-directory-setpassword-or.html

I think more detail can be added for these COM errors:

0x800708c5 0x8007202f 0x8007052d 0x8007052f

查看更多
登录 后发表回答