3.1.5.13.7.1 SamValidateAuthentication

The following table lists the constraints that MUST be satisfied (in the order presented) in order to return the associated output parameters to the client. All fields of ValidateAuthenticationOutput MUST be set to 0 before any constraints are met.

Constraint

Condition (fields based on ValidateAuthenticationInput)

ValidateAuthenticationOutput changes

1

If the current time is less than or equal to LockoutTime plus DomainLockoutDuration.

ValidationStatus MUST be set to SamValidateAccountLockedOut.

2

If the current time is greater than LockoutTime plus DomainLockoutDuration.

LockoutTime MUST be set to 0 (and continue processing).

3

PasswordMatch is zero, and BadPasswordTime plus DomainLockoutObservationWindow is greater than or equal to the current time.

  1. ValidationStatus MUST be set to SamValidatePasswordIncorrect.

  2. BadPasswordCount MUST be set to ValidateAuthenticationInput.BadPasswordCount plus 1.

  3. BadPasswordTime MUST be set to the current time.

  4. If DomainLockoutThreshold is greater than 0 and BadPasswordCount is greater than or equal to DomainLockoutThreshold, LockoutTime MUST be set to the current time.

4

PasswordMatch is zero, and BadPasswordTime plus DomainLockoutObservationWindow is less than the current time.

  1. ValidationStatus MUST be set to SamValidatePasswordIncorrect.

  2. BadPasswordCount MUST be set to 1.

  3. BadPasswordTime MUST be set to the current time.

5

PasswordLastSet is zero.1

ValidationStatus MUST be set to SamValidatePasswordMustChange.

6

PasswordLastSet plus DomainMaximumPasswordAge is less than the current time. 1

ValidationStatus MUST be set to SamValidatePasswordExpired.

7

PasswordMatched is nonzero.

  1. ValidationStatus MUST be set to SamValidateSuccess.

  2. If BadPasswordCount is nonzero, BadPasswordCount MUST be set to 0.

1 The order in which these conditions are tested SHOULD<72> follow the order shown in the preceding table.