Share via

3.3.5.7.2 Normative Specification

  • Article

The responder SHOULD<24> process the data from the message, subject to all the following constraints:

  1. The responder validates the integrity of the message with respect to embedded offsets and sizes. Responder implementations MUST return an error condition upon receiving malformed messages.

  2. If the user password is not expired, the responder MUST return STATUS_SUCCESS. The user password is considered expired using the following procedure:

    • Let PasswordMustChange be the value computed using the procedure defined in PasswordMustChange Generation ([MS-SAMR] section 3.1.5.14.4).

    • The password is considered expired if PasswordMustChange is some time in the past.

    • Or, the password is considered expired if one of the following is true:

      • The user account has an msDS-AssignedAuthNPolicy attribute ([MS-ADA2] section 2.224) referring to an msDS-AuthNPolicy object ([MS-ADSC] section 2.120), AND the msDS-AuthNPolicy object has an msDS-AuthNPolicyEnforced attribute ([MS-ADA2] section 2.230) set to TRUE, AND the msDS-AuthNPolicy object has an msDS-UserTGTLifetime attribute ([MS-ADA2] section 2.505), AND PasswordMustChange minus msDS-UserTGTLifetime is greater than the current time.

      • Or, PasswordMustChange minus the value stored in the MaxTicketAge ADM element ([MS-LSAD] section 3.1.1.1) is greater than the current time.

  3. The responder MUST perform the following validation steps before proceeding.

    1. If the msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute ([MS-ADA2] section 2.319) on the naming context (NC) is either false or not present, or if the domain functional level is less than DS_BEHAVIOR_WIN2016, the responder MUST return an error condition.

    2. If the specified user's userAccountControl attribute ([MS-ADA3] section 2.342) does not contain 0x00040000 (ADS_UF_SMARTCARD_REQUIRED), the responder MUST return an error condition.

    3. If the specified user's userAccountControl attribute does contain 0x00010000 (ADS_UF_DONT_EXPIRE_PASSWD), the responder MUST return an error condition.

  4. If all the validation steps completed successfully, the responder MUST perform the following steps.

    1. Generate new random unique values for the dbcsPwd and unicodePwd attributes.

    2. Update the dbcsPwd and unicodePwd attributes on the user object with the values generated in the previous step.

    3. Set the pwdLastSet attribute on the user object to the current time.

  5. All errors MUST be returned.

See [MS-PKCA] section 3.1.5.2.2 for additional information about handling password changes.