I am a .Net developer since its first days. But the last time was quite interesting. I wrote an network basics dll for my own purpose and started to write the fitting iOS client apps. Everything works fine but now I kind of thought about not managing the user data myself, but to use the existing data of the Active Directory. It would not be any kind of problem to send the plain text username and password from the app to the server and do the verification then, but that is not as safe as I want it to be. My personal most preferred way would be: send username from app to server get challenged password hash from the AD by the username and the challenge send the challenge to the client hash the password with the challenge send back the hash to the server and check if the hashes are matching Quite simple straight forward way. I do not have to deal with certificates and can provide a basic security. I know, that in modern times it is not the topmost safe way. But it is sufficient for my needs. My question is, is there a way to get the hashed password for a user from the ad and do I get the challenge? Or is there an other simple way to provide a easy secure way of verifying an user not in the local network? Thank you very much in advance Best regards Florian

Reputation: 1

C# verify user in Active Directory from Socket conection

I am a .Net developer since its first days. But the last time was quite interesting. I wrote an network basics dll for my own purpose and started to write the fitting iOS client apps. Everything works fine but now I kind of thought about not managing the user data myself, but to use the existing data of the Active Directory. It would not be any kind of problem to send the plain text username and password from the app to the server and do the verification then, but that is not as safe as I want it to be. My personal most preferred way would be:

send username from app to server
get challenged password hash from the AD by the username and the challenge
send the challenge to the client
hash the password with the challenge
send back the hash to the server and check if the hashes are matching

Quite simple straight forward way. I do not have to deal with certificates and can provide a basic security. I know, that in modern times it is not the topmost safe way. But it is sufficient for my needs.

My question is, is there a way to get the hashed password for a user from the ad and do I get the challenge? Or is there an other simple way to provide a easy secure way of verifying an user not in the local network?

Thank you very much in advance

Best regards Florian

Upvotes: 0

Answers (2)

Piazzolla

Reputation: 423

As you said this should be a basic authentication but without sending plain password over network. Therefor I would suggest a solution with an asymmetric encryption.

Encrypting the password on client side and send the encrypted message to the server. The server is the only one having the private key and could therefore read the password and validate it with PrincipalContexts ValidateCredentials methods (like itsme86 suggests).

So the steps for your application could be:

ask for public key from app to server
get public key from server
encrypt password with public key
send back the encrypted password together with the user name to the server
server decrypts the credentials and validates them against the AD

Upvotes: 0

itsme86

Reputation: 19496

Have you tried using System.DirectoryServices.AccountManagement? It's very simple to verify a login:

bool authenticated;
using (PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, domain))
{
    authenticated = domainContext.ValidateCredentials(username, password);
}

Upvotes: 1

C# verify user in Active Directory from Socket conection

Answers (2)

Related Questions