My internal password reset tool was failing for many users with a misleading "Current credentials are invalid" error again for a different reason, investigation revealed the root cause: users with expired passwords couldn't reset them because the system required current password authentication, but expired passwords can't authenticate.
This created a Catch-22 scenario - users needed to authenticate to reset their password, but couldn't authenticate because their password was expired.
Investigation
- Users were getting generic "username or password incorrect" errors
- Bad password counts were increasing multiple times per reset attempt
- Many failing accounts had
AdminCount=1(privileged accounts) - My diagnostic logs showed
*** PASSWORD HAS EXPIRED ***but the system treated this as "wrong password"
Core Issue
Active Directory returns generic error code 0x8007052E (invalid credentials) for both:
- Wrong passwords (security failure)
- Correct but expired passwords (legitimate user needing help)
The system couldn't distinguish between these scenarios, so it treated all expired password authentication attempts as security violations.
My Initial Security Assumption
I initially assumption that implementing expired password detection would create a vulnerability:
// What I thought was dangerous but actually isn't
if (errorCode == 0x8007052E && passwordIsExpiredFromDiagnostics)
{
// I feared this would allow attackers with wrong passwords to reset accounts
return AuthenticationResult.PasswordExpired;
}
Why I Was Wrong
I feared this logic because I thought:
- Attacker finds expired account username
- Attacker enters random wrong password
- System sees expired password + generic error code
- System assumes "must be correct expired password"
- System allows reset
But testing proved this logic was incorrect. The system correctly rejects wrong passwords regardless of account status.
The Actual Solution (Which Is Secure)
The logic safely distinguishes between scenarios:
- Wrong password on non-expired account → "Current credentials are invalid"
- Wrong password on expired account → "Current credentials are invalid"
- Correct password on expired account → "Password is successfully reset"
Security Verification Test
I tested with a standard user account (user.expired) that had a valid (non-expired) password:
- Used wrong password → Got
0x8007052Eerror - System correctly showed "Current credentials are invalid"
- No security bypass occurred
// Password reset with correct password looks like this:2025-09-18 14:12:45 - Generic COM Exception - Error Code: 0x8007052E, Message: The user name or password is incorrect.
2025-09-18 14:12:45 - Generic invalid credentials COM error detected, but diagnostics show password is expired for user: user.expired@bear.local - treating as expired password
2025-09-18 14:12:45 - Password expired but correct for user: user.expired - will attempt direct reset
2025-09-18 14:12:45 - Expired password reset SUCCESSFUL for user 'user.expired'. Reason: EXPIRED_PASSWORD_CORRECT
//Password reset with incorrect password looks like this:
2025-09-18 16:09:23 - Generic COM Exception - Error Code: 0x8007052E, Message: The user name or password is incorrect.
2025-09-18 16:09:23 - Invalid credentials (wrong password) detected via generic COM exception for user: user.expired@bear.local
2025-09-18 16:11:44 - Generic COM Exception - Error Code: 0x8007052E, Message: The user name or password is incorrect.
Lessons Learned
- Generic error messages mask problems: "Invalid credentials" hid an expired password scenario
- Test your security assumptions: My initial security panic was proven wrong through testing
- Enhanced diagnostics improve UX: Specific error messages guide users to solutions
- Ensure you test your logic before you "assume" its wrong.