过期用户的ValidateCredentials

Question

我会决定本地发展计划的密码是否已过期？

我可以从LDAP查询用户信息，以查看它是否过期，但在进行检查之前，我希望确保用户输入的当前密码是正确的。

using (HostingEnvironment.Impersonate())
            {
                // set up domain context
                using (var ctx = new PrincipalContext(ContextType.Domain))
                {
                    try
                    {

*我期望本节检查当前用户名和密码是否正确。但是对于过期的密码，它不起作用。在检查密码过期之前，我要检查当前用户和密码是否正确。

                        details.IsAuthenticate = ctx.ValidateCredentials(username, password);
                    }
                    catch (Exception exp)
                    {

                        throw exp;
                    }
                    // find the user
                    var user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username);

                    if (user != null)
                    {
                        // get the underlying DirectoryEntry object from the UserPrincipal
                        details.IsUserExist = true;
                        var de = (DirectoryEntry)user.GetUnderlyingObject();

                        // now get the UserEntry object from the directory entry
                        var ue = (ActiveDs.IADsUser)de.NativeObject;

                        details.IsAccountLocked = ue.IsAccountLocked;
                        details.IsAccountActive = !ue.AccountDisabled;
                        details.PasswordExpirationDate = ue.PasswordExpirationDate;
                        // details.PasswordLastChanged = ue.PasswordLastChanged;
                        details.HasPasswordExpired = ue.PasswordExpirationDate <= DateTime.Now;
                        details.PasswordNeverExpired = user.PasswordNeverExpires;

                        if (user.PasswordNeverExpires)
                        {
                            details.HasPasswordExpired = false;
                        }

                        if (user.LastPasswordSet.HasValue == false && user.PasswordNeverExpires == false)
                        {
                            details.ForceChangePassword = true;
                        }
                        else
                        {
                            details.ForceChangePassword = false;
                        }

                    }

Answer 1

我找到了我的答案。

我没有使用PrincipalContext对象，而是尝试了另一种方法。

                        try
                        {
                            LdapConnection connection = new LdapConnection(ctx.ConnectedServer);
                            NetworkCredential credential = new NetworkCredential(username, password);
                            connection.Credential = credential;
                            connection.Bind();
                            //Console.WriteLine("logged in");
                        }
                        catch (LdapException lexc)
                        {
                            String error = lexc.ServerErrorMessage;
                            Console.WriteLine(lexc);
                        }
                        catch (Exception exc)
                        {
                            Console.WriteLine(exc);
                        }

而且，通过观察捕获的结果，你可以做任何你想做的事情。

找不到525​用户

52 e​无效凭据

530​此时不允许登录​

531​不允许在此工作站​登录

532​密码过期​

533​帐户禁用​

701​帐户过期​

773​用户必须重置密码​

775​用户帐户锁定

/*******************************************************/

Validate a username and password against Active Directory?

http://social.technet.microsoft.com/Forums/windowsserver/en-US/474abb8f-cfc6-4cac-af79-c3e80e80291f/ldap-authentication-error-ldap-error-code-49-80090308-ldaperr-dsid0c090334-comment?forum=winserverDS