My question is how ADSI performs SetPassword operation. According to what I have read ADSI is a COM interface and it has more capabilities than AD provides through LDAP. While you are suppose to update unicodePwd attribute of a personaccount entity through LDAP, ADSI provides you SetPassword call. I know that ADSI & AD provides Kerberos during authentication. So how the password is transmitted to serve开发者_运维百科r when SetPassword is called? Is it raw binary unencrypted data? Or does Kerberos comes into play at this call?
Firstly, SetPassword tries ldap over ssl. then kerberos, and then NetUserSetInfo. So, as far as I can tell, in all cases it is secure on the wire. But it is also quite slow.
This is NOT the case in Adam - it uses cleartext passwords. Beware of wrappers that talk to Adam instead of 'proper' AD.
A faster way is to use IDirectoryObject and set the unicodePwd attribute through this. Because this can only be done with a secure bind to AD, the password is protected.
精彩评论