nicolasosorio Regular Contributor.
Regular Contributor.
506 views

Microsoft Server 2008 Password Policy Not working properly

Hi everyone,

The documentation for eDir 9 says:

The password cannot contain the full value of the CN attribute or full or any part of the value of the Full Name attribute for the account, if the attribute contains at least three characters and is a single word. A part of the attribute value is defined as three or more consecutive characters delimited on both ends by the following characters: commas; periods; dashes; hyphens; underscores; spaces; pound signs; or tabs.


But when we set the Microsoft Server 2008 Password Policy, the rule I quoted before is not working.

For example, we have a user which CN is johnp, and his fullName is PAUL John, if I set to him the password "Paul2019" the rule works and the password is not setted because of "Paul", but if I set "Pau2009" (supposing the minimum length is 7 characters), the rule doesn't work and the password is setted.

The same happens with user's CN.

Does anyone have idea why is not working properly the password pol

Environment:

IDM 4.7.2
eDir 9.1 SP2
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Microsoft Server 2008 Password Policy Not working proper

How many complexity violations does your policy allow? I just have an 888 box available at the moment, but in this offset i can observe that "Paul2019" gets rejected due to attribute exclusion (as opposed to violation of 2008 policy rules). Once i set allowed violations down to 0 i still get "Paul2019" rejected due to attribute exclusions but also can't set "Pau2009", the latter one due to violation of 2008 rules.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Microsoft Server 2008 Password Policy Not working properly

nicolasosorio wrote:

>
> Hi everyone,
>
> The documentation for eDir 9 says:
>
> > The password cannot contain the full value of the CN attribute or full
> > or any part of the value of the Full Name attribute for the account, if
> > the attribute contains at least three characters and is a single word. A
> > part of the attribute value is defined as three or more consecutive
> > characters delimited on both ends by the following characters: commas;
> > periods; dashes; hyphens; underscores; spaces; pound signs; or tabs.

>
> But when we set the Microsoft Server 2008 Password Policy, the rule I
> quoted before is not working.
>
> For example, we have a user which CN is johnp, and his fullName is PAUL
> John, if I set to him the password "Paul2019" the rule works and the
> password is not setted because of "Paul", but if I set "Pau2009"
> (supposing the minimum length is 7 characters), the rule doesn't work
> and the password is setted.
>


I don't think you are reading the AD spec properly. Do you claim that AD
rejects this password or that you think NMAS should reject this password?

If the user's name is Paul John and the CN is johnp then the following strings
are illegal as fragements of the password:

Fragment 1: Paul
Fragment 2: John
Fragment 3: johnp

Fragments like Pau or ohn or Joh are not bounded on both sides by "commas;
periods; dashes; hyphens; underscores; spaces; pound signs; or tabs" in the
input data so they are not considered by the AD 2008 password complexity.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
nicolasosorio Regular Contributor.
Regular Contributor.

Re: Microsoft Server 2008 Password Policy Not working proper

alexmchugh;2500306 wrote:
nicolasosorio wrote:

>
> Hi everyone,
>
> The documentation for eDir 9 says:
>
> > The password cannot contain the full value of the CN attribute or full
> > or any part of the value of the Full Name attribute for the account, if
> > the attribute contains at least three characters and is a single word. A
> > part of the attribute value is defined as three or more consecutive
> > characters delimited on both ends by the following characters: commas;
> > periods; dashes; hyphens; underscores; spaces; pound signs; or tabs.

>
> But when we set the Microsoft Server 2008 Password Policy, the rule I
> quoted before is not working.
>
> For example, we have a user which CN is johnp, and his fullName is PAUL
> John, if I set to him the password "Paul2019" the rule works and the
> password is not setted because of "Paul", but if I set "Pau2009"
> (supposing the minimum length is 7 characters), the rule doesn't work
> and the password is setted.
>


I don't think you are reading the AD spec properly. Do you claim that AD
rejects this password or that you think NMAS should reject this password?

If the user's name is Paul John and the CN is johnp then the following strings
are illegal as fragements of the password:

Fragment 1: Paul
Fragment 2: John
Fragment 3: johnp

Fragments like Pau or ohn or Joh are not bounded on both sides by "commas;
periods; dashes; hyphens; underscores; spaces; pound signs; or tabs" in the
input data so they are not considered by the AD 2008 password complexity.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below



Hi alexmchugh, thanks for the answer, you are right, I was not understading the AD spec properly.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.