hi Obaid,
Thanks for looking.
If it helps, Azure Self-Service Password Reset does set the control
(actually LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID which does the same
thing) when doing a password set.
I think maybe it looks like a password change on the Entra side (that
is, the user needs their old password), but Entra wants to forward the
change as an unconditional set but maintain history.
This page
https://learn.microsoft.com/en-us/entra/identity/authentication/troubleshoot-sspr-writeback#if-the-source-of-the-event-is-adsync
talks a bit about it around "33008 ADPasswordPolicyError". Elsewhere it
mentions LDAP_SERVER_POLICY_HINTS_OID but gives it the value
1.2.840.113556.1.4.2066 which is the one now called _DEPRECATED_,
presumably because the oid is also used for the
ms-DS-Required-Domain-Behavior-Version attribute.
Douglas
On 1/10/25 10:02, Obaid Farooqi wrote:
Hi Douglas:
To me, the quote from MS-ADTS looks more problematic than the MS-SMAR's.
There will not be a password history if we are setting a password.
I am looking into it and I think this is a bug in MS-ADTS.
Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft
-----Original Message-----
From: Michael Bowen <[email protected]>
Sent: Wednesday, September 24, 2025 6:17 PM
To: Douglas Bagnall <[email protected]>;
[email protected]
Cc: Microsoft Support <[email protected]>
Subject: RE: [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy --
interaction with LDAP_SERVER_POLICY_HINTS_OID - TrackingID#2509240040013358
[DocHelp to bcc]
Hi Douglas,
Thanks for your question. I've created case number 2509240040013358 to track
this issue. Please leave the number in the subject line and use reply all your
correspondence. One of our engineers will contact you soon.
Best regards,
Michael Bowen
Sr. Escalation Engineer - Microsoft® Corporation
-----Original Message-----
From: Douglas Bagnall <[email protected]>
Sent: Wednesday, September 24, 2025 3:39 PM
To: Interoperability Documentation Help <[email protected]>;
[email protected]
Subject: [EXTERNAL] [MS-SAMR] 3.1.1.7.1 General Password Policy -- interaction
with LDAP_SERVER_POLICY_HINTS_OID
hi Dochelp,
MS-ADTS 3.1.1.3.4.1.27 says that when LDAP_SERVER_POLICY_HINTS_OID is used with
a control value of 1, the password history length constraint is enforced on
password-set operations.
I think that means at the bottom of MS-SAMR 3.1.1.7.1 General Password Policy,
where it says:
5. The requesting protocol message is a password change (as compared to a
password set).
it should say something like
5. The requesting protocol message is a password change (as compared to a
password set), or the message is a password set with the
LDAP_SERVER_POLICY_HINTS_OID control set with the value 0x1.
Is that right?
Douglas
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
