windows - c# - Validating expired domain credentials across the forest -

windows - c# - Validating expired domain credentials across the forest -

there a few questions inquire how validate active directory domain questions. however, not believe deal adequately multi-domain scenarios across forest. starters, both suggest definitive way perform advertisement authentication in c# .net 3.5+ should this:

bool isvalid = false; using(var ctx = new principalcontext(contexttype.domain, "foo.com")) { // verify user exists first var lookedup = userprincipal.findbyidentity(ctx, "myuser"); if (lookedup != null) { // validate credentials isvalid = pc.validatecredentials("myuser", "mypassword"); } }

this , when user want authenticate belongs foo.com. however, there subtle unexpected differences in case of user belonging kid domain, password expired. (i have got principalcontext find user in kid domain 2 different ways: (a) setting domain argument "foo.com:3268"; (b) adding container argument w/ base of operations dn of kid domain: new principalcontext(contexttype.domain, "foo.com", "dc=child,dc=foo,dc=com"). problem describe below occurs in both scenarios.)

if user belongs foo.com, , has expired password, validatecredentials returns true (at to the lowest degree on windows 7 i'm testing; i've seen others behavior different in windows 2003). however, if user belongs child.foo.com , password expired, validatecredentials returns false.

it pretty of import me able distinguish between "valid password expired" , "invalid password". if entered password right expired, want able redirect them "change password" screen. however, if password entered totally wrong, considered leakage of info forwards them alter password screen.

the way forwards see utilize ldap interface advertisement , seek parse status messages sends figure out underlying error code. sounds neither fun nor wise.

can provide reason behavior when dealing subdomains within same forest? can provide solution trying accomplish here?

so issue here appears .net tries what's called fast concurrent ldap bind ad. that's super lightweight mechanism , google seems indicate perhaps bypasses expiry check. didn't validate this, but, assuming it's true...

i think options here either a) binding (look @ ldapconnection class , associated flags) or b) p/invoke logonuser. may need dig in figure out passwory expiry status if phone call fails i'm not sure if either of tell it's expired or isn't reason failure.

c# windows authentication active-directory