我在我的应用程序中使用PrincipalContext(来自System.DirectoryServices.AccountManagement命名空间)针对 Active Directory 进行身份验证(我正在使用该ValidateCredentials函数)。
身份验证工作正常,当我在 Active Directory 中重置用户密码并强制他在下次登录时更改密码时,我无法对用户进行身份验证。
我试图改变我进行身份验证的方式,我使用了LdapConnection(命名空间System.DirectoryServices.Protocols),身份验证工作正常,当我重置用户密码并强制用户在下次登录时更改密码时,我无法验证这个用户,如果我我只是重置密码而不强制用户在下次登录时更改密码,我可以验证用户。
我用不同的活动目录测试了相同的场景,它适用于所有场景。
当用户必须在下一次登录标志为 true 时更改密码时,Active Directory 是否有可能阻止我通过代码进行身份验证?
You've answered your own question really, when "User must change password at next logon" is set in active directory, the user can only authenticate interactively from the Windows UI in order to set a new password, they cannot be authenticated in the way you require.
If you wanted to get it working you would need to add functionality to your application to detected when a user much change their password and provide means to do so prior to authentication. This would require handling of expired passwords as well as instances where changing the password was forced in the way you describe.