FYI: Easy way to validate AD credentials on win2k using c#

May I kindly ask for your opinion about the similar topic as for
"Subject: Programmatically reading of Password Policy info 7/15/2004 1:22 AM PST"
Thanks.
Pietro Moras

"Steffen Balslev" wrote:

I tried to find a way to validate user credentials using C#, searching google and lots of other news and kb sites left me without a solution.

You can use a SSPI but it's that easy to implement so I found a simple way and here it is:

using System.DirectoryServices;

public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
bool validLogin = false;
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirecotryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"]
}
catch
{
return false;
}
return true;
}

Calling the function will return true if the credentials are valid otherwise false.

Example: bool isValid = Win2kCredentialsIsValid("mydomain", "myuser", "mypassword");

I found if you do not use "domain\username" in the username parameter of the DirectoryEntry constructor you will only be able to validate local user accounts. This means if machine you are testing on is a Directory Server you will only be able to validate the administrator username and password.

So the function can only validate domain credentials with is what i need :)

I hope some of you can use this :)

Regards

Steffen Balslev

Using this to validate account credentials has some serious drawbacks, why? Here are the most obvious...

1. This way, You are not only authenticating a domain account, but you are also doing an implicit authorization check, that is, you are reading properties from the AD using an impersonation token. What if the otherwise valid account has no rights to read from the AD?
I know, per default all users have read access, but domain policies can be set to disable access permissions for restricted accounts (and or groups).
2. Binding against the AD has a serious overhead, the AD schema cache has to be loaded at the client (ADSI cache in the ADSI provider used by DirectoryServices), this is both, network and AD server resource consuming, and is IMO too expensive for a simple operation like authenticating a user account.

Willy.
"Steffen Balslev" <st*****@spamfighter.com> wrote in message news:e8*************@TK2MSFTNGP12.phx.gbl...
I tried to find a way to validate user credentials using C#, searching google and lots of other news and kb sites left me without a solution.

You can use a SSPI but it's that easy to implement so I found a simple way and here it is:

using System.DirectoryServices;

public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
bool validLogin = false;
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirecotryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"]
}
catch
{
return false;
}
return true;
}

Calling the function will return true if the credentials are valid otherwise false.

Example: bool isValid = Win2kCredentialsIsValid("mydomain", "myuser", "mypassword");

I found if you do not use "domain\username" in the username parameter of the DirectoryEntry constructor you will only be able to validate local user accounts. This means if machine you are testing on is a Directory Server you will only be able to validate the administrator username and password.

So the function can only validate domain credentials with is what i need :)

I hope some of you can use this :)

Regards

Steffen Balslev