MS修补程序KB3167679后在c#/ asp.net中更改Active Directory用户密码 [英] Changing Active Directory user passwords in c#/asp.net after MS patch KB3167679
问题描述
当用户登录到基于asp.net的Web应用程序且密码已过期且在登录过程中出现密码时,我目前正在寻找某种最佳实践,以更改用户的活动目录用户密码。登录会话。
I'm currently looking for some kind of a best practice on changing the active directory user password for a user for the cases when the user logs in to a asp.net based web application and the password is expired, and during a logged in session.
我们正在Windows Server 2008 R2,带有.net Framework 3.5的IIS7上运行该应用程序
We're running the applicaiton on Windows Server 2008 R2, IIS7 with .net framework 3.5
到目前为止,我使用了以下方法:
So far I used this:
public int changeUserPassword(String _userID, String _oldPassword, String _newPassword, bool _change)
{
try
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, "do.ma.in", "DC=do,DC=ma,DC=in",
ContextOptions.SimpleBind, @"domain\admin_account", "admin_pw");
UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, _userID);
if (_change)
{
oUserPrincipal.ChangePassword(_oldPassword, _newPassword);
}
else
{
oUserPrincipal.SetPassword(_newPassword);
}
oUserPrincipal.Save();
}
catch (Exception e)
{
//error handling
}
return 1;
}
此方法处理用户在登录后启动密码更改的情况,即更改在过期的pw登录期间(ChangePassword方法),以及用于重置密码(生成临时密码等)(SetPassword方法)。
This method handles the cases for user initiated pw change after the login, the changing during expired pw login (ChangePassword method), and for a password reset, where a temporary password is generated etc. (SetPassword method).
我们需要ChangePassword的原因方法是这样,因为存在关于当前密码的用户确认,所以应用了AD密码历史记录,因为我们不允许最后x个密码。 SetPassword只是设置密码,而不管它是否在最近的历史中。
The reason why we need the ChangePassword method is so there is a user confirmation about the current password and so the AD password history is applied, since we don#t allow the last x passwords. SetPassword just sets the password, no matter if it's in the recent history.
SetPassword似乎仍然可以正常工作,但是由于Microsoft修补程序KB3167679,更改密码方法无法正常工作。似乎不再起作用。 KB3167679
本文专门提到,这仅适用于以下情况:锁定或禁用,但当该帐户仅处于活动状态或处于密码已过期模式时,也不再起作用。
我收到的异常消息是一个或多个输入参数无效。
SetPassword seems still to work fine, but since the Microsoft patch KB3167679, the change password method doesn't seem to work anymore. KB3167679 The article specifically mentions that this only happens to accounts that are locked out or disabled, but it also doesn't work anymore when the account is simply active or in "password expired" mode. The exception message I geet is "One or more input parameters are invalid".
我以前使用过另一种使用DirectoryEntry的实现,但由于它出错有时有效,有时却无效,这很烦人。因此,我宁愿不回头再说。
I previously used another implementation using DirectoryEntry, but it was faulty, since it sometimes worked and sometimes it didn't, which was quite annoying. So I'd rather not go back to that.
我们在具有新补丁的实例上观察到了这一点,没有该实例的实例运行良好。我也能够在测试服务器上重现该行为,该方法在安装上述补丁后停止工作。
We observed this on an instance that has the new patch, an instance without it works fine. I was also able to reproduce the behaviour on a test server, the method stopped working after the mentioned patch was installed.
不幸的是,Microsoft在此方面未提供最佳实践。文章,我似乎找不到自己。所以问题是,也许您对我有个建议,请问到达这里的标准方法是什么。
Unfortunately Microsoft doesn't provide a best practice in this article and I can't seem to find one myself. So the question is if maybe you have a tip for me what is the standard way to go here.
推荐答案
我遇到了类似的问题。尝试将ContextOptions.SimpleBind更改为ContextOptions.Negotiate
I have encountered a similar issue. Try changing ContextOptions.SimpleBind to ContextOptions.Negotiate
这篇关于MS修补程序KB3167679后在c#/ asp.net中更改Active Directory用户密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
