i am using LogonUser to validate a user's set of domain credentials.
LogonUser(accountName, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, ref token);
With disturbing results:
LogonType Current Password Old password
=========== ============================== ========================
Network Succeeds Succeeds
Batch Fails (0x00000569) Fails (invalid password)
Interactive Succeeds Fails (invalid password)
Failure codes:
0x00000569
: Logon failure: the user has not been granted the requested logon type at this computer
0x0000052E
: Logon failure: Unknown username or password
Details:
true
. (good)
if the user enters invalid credentials the function returns false
. (good)
if the user changes their password, and enters their new valid credentials the function returns true
. (good)
if the user enters invalid credentials the function returns false
. (good)
if the user enters their old credentials the function returns true
. (bad)
Note: if the user moves to a different machine (one that they've never logged onto before), and enter old credentials,
LogonUser
continues to return true. This means that the caching is not happening on the local machine - but somehow "on the network".
true
. (good)
true
. (bad)
false
. (good)
How, when calling LogonUser
can i instruct it to instruct the domain to not use cached credentials.
Note: If the user tries to logon to Windows with their old (or old old) password, they get invalid password error.
From MSDN:
LOGON32_LOGON_NETWORK
This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.
LOGON32_LOGON_INTERACTIVE
This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
LOGON32_LOGON_BATCH
This logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.
i am authenticating plain-text passwords, and so using LOGON32_LOGON_NETWORK
. Interactive logon caches credentials, which is not permitted here. Batch, while undocumented about when it should be used, simply fails.
Update: The domain only allows:
It's plain to me that it's a "feature" of Active Directory that's giving a 1 hour grace period.
Except i don't want the grace period, and i don't want to change any settings on the domain (since i don't know any setting on the domain that would allow a one hour grace period of use of your old password).
It's a feature of NTLM. You can change the default 60 min. by adding an OldPasswordAllowedPeriod
DWORD value in minutes to HKLM\SYSTEM\CurrentControlSet\Control\Lsa
key on the domain controller, or you can disable 'Enforce Password History' policy. You might also try using another logon provider like LOGON32_PROVIDER_WINNT50
.
BTW if you're already providing a GUI, I see no disadvantage using LOGON32_LOGON_INTERACTIVE
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With