我想看看是否有任何.NET方法来验证Active Directory用户凭据，即使用户的密码已过期或用户有用户下次登录时须更改密码设置。 我曾尝试PrincipalContext.ValidateCredential和我的用户此返回false。我也试过LDAP绑定，而且也不管用。 我的目的是验证用户，然后提示他更改密码对话框，如果他的密码已过期或者他有能力改变passwored在下次登录。

I would like to find out if there is any .Net way to validate an Active Directory user credential even if the user's password is expired or the user has "user must change password at next logon" set. I have tried PrincipalContext.ValidateCredential and this returns false for my user. I also tried Ldap Bind and that does not work either. My purpose is to authenticate the user and then prompt him with a change password dialog if his password is expired or he has to change passwored at next login.

推荐答案

我们已经在我们的一些设置AD控制器和PrincipalContext.ValidateCredentials方法总是对用户返回false对AD控制器在Windows上使用用户2003服务器必须更改密码在下次登录复选框选中。

We have several AD controllers in our setup and the PrincipalContext.ValidateCredentials method would always return false on the AD controllers on Windows 2003 servers on users with the "user must change password at next logon" checkbox checked.

但在在Windows 2008 R2服务器上的，它会返回true，如果vim的信任状是，即使该复选框被检查有效。

But on the ones on Windows 2008 R2 servers, it would return true if the creds were valid even if the checkbox was checked.

于是我就确信我的code被击中的Windows 2008 R2的服务器之一，并且做的伎俩。

So I just made sure my code was hitting one of the windows 2008 R2 servers and that did the trick.

我做工作，对2003年服务器的解决方案（我才意识到事情只会工作，对其他的）。这里是code：

I did work on a solution for the 2003 servers (before I realized things would just work on the other ones). Here is the code:

var adContext = new PrincipalContext(ContextType.Domain, adLocation, adContainer, adAdminUsername, adAdminPassword);

var initialValidation = adContext.ValidateCredentials(username, password);
Console.WriteLine("Initial validation returned: " + initialValidation);

if (!initialValidation)
{
    // maybe validation failed because "user must change password at next logon".
    // let's see if that is the case.

    var user = UserPrincipal.FindByIdentity(adContext, username);
    if (user.LastPasswordSet == null)
    {
        // the user must change his password at next logon. So this might be
        // why validation returned false

        // uncheck the "change password" checkbox and attempt validation again

        var deUser = user.GetUnderlyingObject() as DirectoryEntry;
        var property = deUser.Properties["pwdLastSet"];
        property.Value = -1;
        deUser.CommitChanges();

        // property was unset, retry validation
        adContext.ValidateCredentials(username, password);
        Console.WriteLine("Secondary validation returned: " + adContext.ValidateCredentials(username, password));

        // re check the checkbox
        property.Value = 0;
        deUser.CommitChanges();
  }
}