Question:
Hello developers!
I am writing a small utility ( web-based ) that allows a user to change his password in Active Directory and a few other goodies.
I am using the following code for .net 3.5 version:
public static string ChPassword(string domain, string container, string userName,
string oldPassword, string newPassword)
{
PrincipalContext principalContext =
new PrincipalContext(ContextType.Domain, domain, container,
"admin", "password");
UserPrincipal user = UserPrincipal.FindByIdentity(principalContext, userName);
if (user == null)
throw(new Exception("User Not Found In This Domain"));
user.SetPassword(newPassword);
user.Save(principalContext);
return user.Name;
}
Actually changing the password works, only after this very change, both passwords work, both the old and the new. Which is, in general, strange for me.
Maybe someone worked with these libraries? Please tell me the best-practices for solving my problem. Thank you.
Answer:
You are far from the first one who has encountered this 🙂
This behavior is due to the way AD and Kerberos work. In the best case, the old password will stop working after a while. Also, if the user logged into the system at any workstation, the password is cached there and for some time can be used to log in even after changing the password in the directory.
Here is a detailed description of why this happens.