468,301 Members | 1,464 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,301 developers. It's quick & easy.

FYI: Easy way to validate AD credentials on win2k using c#

I tried to find a way to validate user credentials using C#, searching google and lots of other news and kb sites left me without a solution.

You can use a SSPI but it's that easy to implement so I found a simple way and here it is:

using System.DirectoryServices;

public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
bool validLogin = false;
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirecotryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"]
}
catch
{
return false;
}
return true;
}

Calling the function will return true if the credentials are valid otherwise false.

Example: bool isValid = Win2kCredentialsIsValid("mydomain", "myuser", "mypassword");

I found if you do not use "domain\username" in the username parameter of the DirectoryEntry constructor you will only be able to validate local user accounts. This means if machine you are testing on is a Directory Server you will only be able to validate the administrator username and password.

So the function can only validate domain credentials with is what i need :)

I hope some of you can use this :)

Regards

Steffen Balslev
Nov 16 '05 #1
2 6707
May I kindly ask for your opinion about the similar topic as for
"Subject: Programmatically reading of Password Policy info 7/15/2004 1:22 AM PST"
Thanks.
Pietro Moras

"Steffen Balslev" wrote:
I tried to find a way to validate user credentials using C#, searching google and lots of other news and kb sites left me without a solution.

You can use a SSPI but it's that easy to implement so I found a simple way and here it is:

using System.DirectoryServices;

public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
bool validLogin = false;
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirecotryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"]
}
catch
{
return false;
}
return true;
}

Calling the function will return true if the credentials are valid otherwise false.

Example: bool isValid = Win2kCredentialsIsValid("mydomain", "myuser", "mypassword");

I found if you do not use "domain\username" in the username parameter of the DirectoryEntry constructor you will only be able to validate local user accounts. This means if machine you are testing on is a Directory Server you will only be able to validate the administrator username and password.

So the function can only validate domain credentials with is what i need :)

I hope some of you can use this :)

Regards

Steffen Balslev

Nov 16 '05 #2
Using this to validate account credentials has some serious drawbacks, why? Here are the most obvious...

1. This way, You are not only authenticating a domain account, but you are also doing an implicit authorization check, that is, you are reading properties from the AD using an impersonation token. What if the otherwise valid account has no rights to read from the AD?
I know, per default all users have read access, but domain policies can be set to disable access permissions for restricted accounts (and or groups).
2. Binding against the AD has a serious overhead, the AD schema cache has to be loaded at the client (ADSI cache in the ADSI provider used by DirectoryServices), this is both, network and AD server resource consuming, and is IMO too expensive for a simple operation like authenticating a user account.

Willy.
"Steffen Balslev" <st*****@spamfighter.com> wrote in message news:e8*************@TK2MSFTNGP12.phx.gbl...
I tried to find a way to validate user credentials using C#, searching google and lots of other news and kb sites left me without a solution.

You can use a SSPI but it's that easy to implement so I found a simple way and here it is:

using System.DirectoryServices;

public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
bool validLogin = false;
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirecotryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"]
}
catch
{
return false;
}
return true;
}

Calling the function will return true if the credentials are valid otherwise false.

Example: bool isValid = Win2kCredentialsIsValid("mydomain", "myuser", "mypassword");

I found if you do not use "domain\username" in the username parameter of the DirectoryEntry constructor you will only be able to validate local user accounts. This means if machine you are testing on is a Directory Server you will only be able to validate the administrator username and password.

So the function can only validate domain credentials with is what i need :)

I hope some of you can use this :)

Regards

Steffen Balslev
Nov 16 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Paul Steele | last post: by
reply views Thread by Markus7 | last post: by
2 posts views Thread by Michael Hogan | last post: by
1 post views Thread by Gavin Jacobs | last post: by
reply views Thread by theintrepidfox | last post: by
3 posts views Thread by Wild Wind | last post: by
2 posts views Thread by daniel.boorn | last post: by
3 posts views Thread by Jay-nospam | last post: by
reply views Thread by NPC403 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.