How to validate domain credentials without considering the Cached Domain Credential

Question

I want to know if there's a way to validate domain credential and make sure we don't use the Cached Domain Credential ?

I use this to validate the credential :

 bool valid = false;
 using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
 {
     valid = context.ValidateCredentials( username, password );
 }

The problem is when I change the password, the old password is still working.

EDIT : If you force the password to be reset, the cached domain credential will not be use. But between the moment we force the reset, and moment the user reset the password, the old password will still work.

JJS · Accepted Answer

Question already has an answer Why does Active Directory validate last password?

Solution is to use a Kerberos authentication.

The following code shows how you can perform credential validation using only Kerberos. The authentication method at use will not fall back to NTLM in the event of failure.

private const int ERROR_LOGON_FAILURE = 0x31;

private bool ValidateCredentials(string username, string password, string domain)
{
    NetworkCredential credentials
        = new NetworkCredential(username, password, domain);

    LdapDirectoryIdentifier id = new LdapDirectoryIdentifier(domain);

    using(LdapConnection connection = new LdapConnection(id, credentials, AuthType.Kerberos))
    {
        connection.SessionOptions.Sealing = true;
        connection.SessionOptions.Signing = true;

        try
        {
            connection.Bind();
        }
        catch (LdapException lEx)
        {
            if (ERROR_LOGON_FAILURE == lEx.ErrorCode)
            {
                return false;
            }

            throw;
        }

    return true;
}

How to validate domain credentials without considering the Cached Domain Credential

Answers (2)

Related Questions