I'm trying to change user password programmatically by using LDAP. User has flag "User Must Change Password at Next Logon" in the Active Directory. But I can't authenticate to Active Directory by this user. I used two LDAP auth types - simple and GSSAPI (Kerberos). Can somebody explain, how Windows itself change password when checked "User Must change password"? Kerberos falls on AS_REQ-AS_RSP (AS) step and return Error STATUS_PASSWORD_MUST_CHANGE while authentication.
4
votes
AFAIK that's a custom AD feature that is supported only by Microsoft SSPI libraries. Standard GSSAPI libraries won't help. Welcome to WestMicrosoftWorld...
– Samson Scharfrichter
Did you try a PowerShell script with the AD client module?
– Samson Scharfrichter
1 Answers
3
votes
Thanks Samson for your comments.
When user has checked "Must change password at next login", Windows first try to get ticket for SPN kadmin/changepw and after that use KPASSWD service (464 UPD/TCP) to change user password by using KPASSWD protocol (https://tools.ietf.org/html/rfc3244). I tried to change password by using Windows for "Must change password" user and after that analyze package by Wireshark, all works in according to rfc3244. Also, I tried to use MIT KPASSWD tool, and password was changed like Windows.
Packages from client to Active Directory
Details of KPASSWD package
