User Password Validation 
Author Message
 User Password Validation

I am writing a VB application that will require the user to physically call
over a supervisor to approve certain functions.  For this "approval" I will
to capture the supervisors UserID and Password.  I know there are APIs to
verify the supplied UserID exists on the Primary Domain Controller, and I
can even get a list of what User Groups they are in etc.  So that part is
all OK.

The final part that I can't figure out is - How do I verify the password is
current?
Is there an API I can call to have the PDC validate the UserID / Password
and return a Yes/No type answer?

Any help would be appreciated.

Kind regards,
Ian Mooney



Mon, 09 Apr 2001 03:00:00 GMT  
 User Password Validation
Yes - it's LogonUser, but there is a catch. The calling process needs to be
running with the 'act as part of the operating system' privilege in order to
call it.

Cheers,

Andy

Private Declare Function LogonUser _
    Lib "advapi32" _
    Alias "LogonUserA" ( _
    ByVal lpszUsername As String, _
    ByVal lpszDomain As String, _
    ByVal lpszPassword As String, _
    ByVal dwLogonType As Long, _
    ByVal dwLogonProvidor As Long, _
    dhHandle As Long) As Long

Private Declare Function CloseHandle _
    Lib "kernel32" ( _
    lpHandle As Long) As Long

Const LOGON32_LOGON_INTERACTIVE = 2
Const LOGON32_LOGON_NETWORK = 3
Const LOGON32_LOGON_BATCH = 4
Const LOGON32_LOGON_SERVICE = 5

Const LOGON32_PROVIDER_DEFAULT = 0

Call with something like...

Public Function LogonU( _
    sUser As String, _
    sDomain As String, _
    sPassword As String) As Long

Dim lReturn As Long
Dim lError As Long
Dim lHandle As Long

    LogonU = 0

    lReturn = LogonUser( _
        sUser, _
        sDomain, _
        sPassword, _
        LOGON32_LOGON_NETWORK, _
        LOGON32_PROVIDER_DEFAULT, _
        lHandle)

    lError = Err.LastDllError

    If lReturn <> 0 Then
        LogonU = 0
    Else
        LogonU = IIf(lError = 0, 1, lError)
    End If

    lReturn = CloseHandle(lHandle)

End Function


Quote:
>I am writing a VB application that will require the user to physically call
>over a supervisor to approve certain functions.  For this "approval" I will
>to capture the supervisors UserID and Password.  I know there are APIs to
>verify the supplied UserID exists on the Primary Domain Controller, and I
>can even get a list of what User Groups they are in etc.  So that part is
>all OK.

>The final part that I can't figure out is - How do I verify the password is
>current?
>Is there an API I can call to have the PDC validate the UserID / Password
>and return a Yes/No type answer?

>Any help would be appreciated.

>Kind regards,
>Ian Mooney




Mon, 09 Apr 2001 03:00:00 GMT  
 User Password Validation
You can cheat by using the change password net api function.  Thus validates
a password as valid before trying to change it, so if you pass a long
(greater than 14 chars) new password, it will confirm it as being too long
ONLY after it has confirmed the exisiting password as being valid.

John timney

--
----------------------------------------------------------------------------
---------
 Please remove the XYZ from the E-mail to reply.
 I'm sick of the advertising {*filter*}s and spam {*filter*}s.
----------------------------------------------------------------------------
---------

Quote:
>I am writing a VB application that will require the user to physically call
>over a supervisor to approve certain functions.  For this "approval" I will
>to capture the supervisors UserID and Password.  I know there are APIs to
>verify the supplied UserID exists on the Primary Domain Controller, and I
>can even get a list of what User Groups they are in etc.  So that part is
>all OK.

>The final part that I can't figure out is - How do I verify the password is
>current?
>Is there an API I can call to have the PDC validate the UserID / Password
>and return a Yes/No type answer?

>Any help would be appreciated.

>Kind regards,
>Ian Mooney




Mon, 09 Apr 2001 03:00:00 GMT  
 User Password Validation
Do you mean NetUserChangePassword?

Can I allow a non privileged process to call this api with a different
username/password combination?

I had assumed that the first check that takes place would be whether the
calling process was allowed to try to make a change to a different user's
password. If it validates the username/old password combination first, then
it's a neat cheat ;^)

Cheers,

Andy

Quote:
>You can cheat by using the change password net api function.  Thus
validates
>a password as valid before trying to change it, so if you pass a long
>(greater than 14 chars) new password, it will confirm it as being too long
>ONLY after it has confirmed the exisiting password as being valid.

>John timney

>--
>---------------------------------------------------------------------------
-
>---------
> Please remove the XYZ from the E-mail to reply.
> I'm sick of the advertising {*filter*}s and spam {*filter*}s.
>---------------------------------------------------------------------------
-
>---------


>>I am writing a VB application that will require the user to physically
call
>>over a supervisor to approve certain functions.  For this "approval" I
will
>>to capture the supervisors UserID and Password.  I know there are APIs to
>>verify the supplied UserID exists on the Primary Domain Controller, and I
>>can even get a list of what User Groups they are in etc.  So that part is
>>all OK.

>>The final part that I can't figure out is - How do I verify the password
is
>>current?
>>Is there an API I can call to have the PDC validate the UserID / Password
>>and return a Yes/No type answer?

>>Any help would be appreciated.

>>Kind regards,
>>Ian Mooney




Mon, 09 Apr 2001 03:00:00 GMT  
 User Password Validation
Answered my own question - it works very nicely. Thanks for that ;^)

Cheers,

Andy

Quote:
>Do you mean NetUserChangePassword?

>Can I allow a non privileged process to call this api with a different
>username/password combination?

>I had assumed that the first check that takes place would be whether the
>calling process was allowed to try to make a change to a different user's
>password. If it validates the username/old password combination first, then
>it's a neat cheat ;^)

>Cheers,

>Andy


>>You can cheat by using the change password net api function.  Thus
>validates
>>a password as valid before trying to change it, so if you pass a long
>>(greater than 14 chars) new password, it will confirm it as being too long
>>ONLY after it has confirmed the exisiting password as being valid.

>>John timney

>>--
>>--------------------------------------------------------------------------
-
>-
>>---------
>> Please remove the XYZ from the E-mail to reply.
>> I'm sick of the advertising {*filter*}s and spam {*filter*}s.
>>--------------------------------------------------------------------------
-
>-
>>---------


>>>I am writing a VB application that will require the user to physically
>call
>>>over a supervisor to approve certain functions.  For this "approval" I
>will
>>>to capture the supervisors UserID and Password.  I know there are APIs to
>>>verify the supplied UserID exists on the Primary Domain Controller, and I
>>>can even get a list of what User Groups they are in etc.  So that part is
>>>all OK.

>>>The final part that I can't figure out is - How do I verify the password
>is
>>>current?
>>>Is there an API I can call to have the PDC validate the UserID / Password
>>>and return a Yes/No type answer?

>>>Any help would be appreciated.

>>>Kind regards,
>>>Ian Mooney




Mon, 09 Apr 2001 03:00:00 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. nt user and password validation

2. Setting User Password & Forcing Password Change

3. Password validation?

4. VB5 Password entry/validation algorithm or control ??

5. NT username/password validation

6. NT Username/Password Validation

7. Username and Password Validation

8. Re-Enter Password validation

9. password validation

10. validation of userid/password in a NT-domain

11. Password validation

12. Password validation from code

 

 
Powered by phpBB® Forum Software