Developer Forum

Hi ng,

i have User objects in a Active Directory which are used only for IIS
authentication.
So there is a problem when the Password of this User has to be changed (e.g.
because it is expired).
When i connect to the Active Directory with the credentials of such a User,
ADSI throws a "Logon failure: unknown user name or bad password" exception.
Is it possible to get the information that the Password has to be changed?
And can i do that with the credentials of that account?
After all, Windows gets that information from the domain: when i log on the
domain with a "password must be changed" user, a user mask to enter the
expired and the new password evolves. And that is what i like to do, with
ADSI.

Thanks,
dan

I'm pretty sure you can't do this with ADSI. You definitely can't do this
with LDAP.

You might try to see if you can get it to work with the WinNT provider, but
I'm not sure if that works either.

Windows does this using the SSPI API.

Joe K.

I don't have a direct solution. However, we lessened the impact of expired
passwords by implementing a daily job to email informational notices to
users when their passwords were about to expire. We email 14 days and 3
days prior to expiration. This helps catch the people who use Windows
authentication but do not login to a Windows PC.

"Joe Kaplan (MVP - ADSI)" < XXXX@XXXXX.COM > wrote

and is it possible to use the SSPI API in an unmanaged block within .NET?

"Joe Kaplan (MVP - ADSI)" < XXXX@XXXXX.COM > wrote

Yes, a few people have written managed wrappers for SSPI. .NET 2.0 has a
built in one as well (NegotiateStream).

Google is your friend here :)

Joe K.