Logons with an expired account or password are still issued a valid token for the site.
Disabled or locked accounts are correctly rejected.
Normal sequence of events for a new ID is to set it up with a password the user must change at first logon.
The Sign On control evidently verifies a valid password and issues a token without checking for expiration of the account or password.
Note: I am researching a custom membership provider because ActiveDirectoryMembershipProvider does not supply required information to the People Picker - (the signon ID is all I have to work with at present)
The mechanism of changing the password is yet another area under research&development.
Any tips in these latter points are appreciated as well. But Authentication really needs to validate the credentials correctly including expiration.
Actually I am using System.Web.Security.ActiveDirectoryMembershipProvider, as stated above in the title and body of the post.
The LDAP provider is not available for SharePoint Foundation and does not work.
Parser Error Message: Could not load type
'Microsoft.Office.Server.Security.LdapMembershipProvider' from assembly
'Microsoft.Office.Server, Version=18.104.22.168, Culture=neutral,
SharePoint Foundation does not supply Microsoft.Office.Server.UserProfiles (in Microsoft.Office.Server.UserProfiles.dll) which contains this namespace,
I spent a couple days trying to follow the article refernced in your reply before discovering this
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.