On Wed, 10 Feb 2016, Pavel Reichl wrote:
On 02/10/2016 11:06 AM, Alexander Bokovoy wrote:
>On Wed, 10 Feb 2016, Pavel Reichl wrote:
>>>>since getting those values requires to parse the string it would be nice
>>>>to get some official details about the string.
>>>Well, the string content after DSID-<number> mark can be completely
>>>missing while the hex of the code (80090308) will be there.
>>>
>>>The presence of "DSID-<number> ..." error message is regulated
by
>>>ulHideDSID character of the dsHeuristics attribute (MS-ADTS
>>>6.1.1.2.4.1.2). So you can have Active Directory where DSID-<number>
>>>string is completely missing but Win32 code for the error is there.
>>>
>>
>>Alexander thanks for looking into this, but what we need is to
>>distinguish between reasons for invalid credentials.
>>
>>e.g.
>>Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment:
AcceptSecurityContext error, data 773, v23f0
>>Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C0903C5, comment:
AcceptSecurityContext error, data 775, v23f0
>As I said, you should not rely on the information being available to you
>as it might be disabled completely by the AD administrators in
>ndsHeuristics attribute.
>
>What are you going to do when ulHideDSID flag is set to 1?
The ticket is about providing extra info to user if account is locked.
If we can't decide, we return generic access denied and generic
message. Best afford attitude is fine here...IMO.
That's fine but please add
documentation about the behavior into the
commit message so that we would have this discussion recorded somehow.
--
/ Alexander Bokovoy