i am using LogonUser to validate a user's set of domain credentials.
LogonUser(accountName, domain, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, ref token);
With disturbing results:
LogonType Current Password Old password
=========== ============================== ========================
Network Succeeds Succeeds
Batch Fails (0x00000569) Fails (invalid password)
Interactive Succeeds Fails (invalid password)
Failure codes:
0x00000569: Logon failure: the user has not been granted the requested logon type at this computer0x0000052E: Logon failure: Unknown username or password
Details:
- if the user enters valid credentials the function returns
true. (good) if the user enters invalid credentials the function returns
false. (good)if the user changes their password, and enters their new valid credentials the function returns
true. (good)if the user enters invalid credentials the function returns
false. (good)if the user enters their old credentials the function returns
true. (bad)
Note: if the user moves to a different machine (one that they've never logged onto before), and enter old credentials,
LogonUsercontinues to return true. This means that the caching is not happening on the local machine - but somehow "on the network".
- if the user changes their password again, and enters their new new credentials, the function returns
true. (good) - if the user enters their old credentials the function returns
true. (bad) - if the user enters their old old credentials the function returns
false. (good)
How, when calling LogonUser can i instruct it to instruct the domain to not use cached credentials.
Note: If the user tries to logon to Windows with their old (or old old) password, they get invalid password error.
From MSDN:
LOGON32_LOGON_NETWORK
This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.
LOGON32_LOGON_INTERACTIVE
This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
LOGON32_LOGON_BATCHThis logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers.
i am authenticating plain-text passwords, and so using LOGON32_LOGON_NETWORK. Interactive logon caches credentials, which is not permitted here. Batch, while undocumented about when it should be used, simply fails.
Update: The domain only allows:
- the previous password (not any further back)
- only for 60 minutes
It's plain to me that it's a "feature" of Active Directory that's giving a 1 hour grace period.
Except i don't want the grace period, and i don't want to change any settings on the domain (since i don't know any setting on the domain that would allow a one hour grace period of use of your old password).
