I have a legacy .NET library doing the following:
const int adsOptionPasswordMethod = 7;
const int adsPasswordEncodeClear = 0;
user.Invoke ("SetOption", new object[] { adsOptionPasswordMethod, adsPasswordEncodeClear });
I am using System.DirectoryServices.Protocols
in .NET 7 now, and I want to do something like this:
const int adsOptionPasswordMethod = 7;
const int adsPasswordEncodeClear = 0;
var setOptionsAccountControl = new DirectoryAttributeModification
{
Operation = DirectoryAttributeOperation.Replace,
Name = "SetOption",
};
modifyUserAccountControl.Add(adsOptionPasswordMethod);
modifyUserAccountControl.Add(adsPasswordEncodeClear);
But the above seems wrong.
CodePudding user response:
According to the documentation, the value of ADS_PASSWORD_ENCODE_CLEAR
is 1
, but the old code is using 0
, which is the value for ADS_PASSWORD_ENCODE_REQUIRE_SSL
, which requires the use of SSL.
So if the old code was working, then it must have already been connecting via SSL (port 636).
The documentation for the unicodePwd
attribute (the real attribute for the password, although userPassword
can work too) says that:
servers require that the client have a 128-bit (or better) SSL/TLS-encrypted connection to the DC in order to modify this attribute.
If it's already using SSL, then that's all that's needed to be able to set the password. Setting those options isn't necessary.