CODEWITHSUNDEEP
c#.netactive-directory
34587
34587

Reputation: 171

Kerberos Authentication always unsuccessful

I have this code for capturing user credentials:

string domain = Domain.GetComputerDomain().ToString();

            Console.WriteLine(domain);
            string username =
                new System.Security.Principal.WindowsPrincipal(System.Security.Principal.WindowsIdentity.GetCurrent())
                    .Identity.Name;

            Console.WriteLine(username);

            Console.Write("Password: ");
            //there are far better ways to get a hidden password this was just an easy way as it's irrelevant to the point of the application, will improve
            string password = null;
            while (true)
            {
                var key = Console.ReadKey(true);
                if (key.Key == ConsoleKey.Enter)
                    break;
                password += key.KeyChar;
            }

And this method for authenticating with Kerberos:

private static bool ValidateCredentialsKerberos(string username, string password, string domain)
        {
            var credentials
              = new NetworkCredential(username, password, domain);

            var id = new LdapDirectoryIdentifier(domain);

            using (var connection = new LdapConnection(id, credentials, AuthType.Kerberos))
            {
                connection.SessionOptions.Sealing = true;
                connection.SessionOptions.Signing = true;

                try
                {
                    connection.Bind();
                }
                catch (LdapException lEx)
                {
                    if (ERROR_LOGON_FAILURE == lEx.ErrorCode)
                    {
                        return false;
                    }
                    throw;
                }

            }
            return true;

        }

It always throws false as incorrect credentials despite the credentials being correct. The output into the console is as follows:

Domain.net Domain/user Password

Any thoughts?

Upvotes: 1

Views: 652

Answers (1)

Tomer
Tomer

Reputation: 1694

The problem is that new System.Security.Principal.WindowsPrincipal(System.Security.Principal.WindowsIdentity.GetCurrent()).Identity.Name; returns the username in DOMAIN\username format, whereas LdapConnection expects to see just the username (you are already sending the domain as another parameter).

You can use Environment.UserName to get just the username.

Another issue is that the ErrorCode you are checking against isn't correct. You'll get "The supplied credential is invalid." message from the DC (error code 49).

(By the way, you didn't have to create a new WindowsPrincipal, you could have just use System.Security.Principal.WindowsIdentity.GetCurrent().Name)

Upvotes: 1

Related Questions