CODEWITHSUNDEEP
.netauthenticationactive-directoryldap
bkstill
bkstill

Reputation: 677

Using .Net to authenticate against Active Directory when disconnected

I have a .Net client WPF application using System.DirectoryServices and LDAP for authentication. On start of the app, I want to force users to re-authenticate using their domain account (which is how they logged into windows). I understand I can use the following to perform the authentication when a connection is available.

DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain,
            userName, password);

The wrinkle is that the application is at times used by remote users who may not have a connection. Windows itself still allows domain users to sign on even when disconnected. Is there a similar means of authenticating users in a disconnected environment using the .Net Framework?

Upvotes: 3

Views: 1888

Answers (2)

bkstill
bkstill

Reputation: 677

Believe I found a way to do this using the LogonUser function of advapi32.dll.

 Dim tokenHandle As New IntPtr(0)
 Const LOGON32_PROVIDER_DEFAULT As Integer = 0
 Const LOGON32_LOGON_INTERACTIVE As Integer = 2
 tokenHandle = IntPtr.Zero
 Dim returnValue As Boolean = LogonUser("<username>", "<domain>", "<password>", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

 Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As [String], _
                        ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
                        ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
                        ByRef phToken As IntPtr) As Boolean

When disconnected this appears to validate against the local cached version of the last log on.

Upvotes: 2

Joel Etherton
Joel Etherton

Reputation: 37543

If there is no connection, there is no connection. Windows maintains a cached version of the last login for that user (meaning a new user would not be able to log into a machine with no connection to the domain). You can use the local system authentication to find out which user is using the system and determine local cached permissions based on that. These methods would still be located within the System.DirectoryServices namespace, the location for parsing the query would change though (and I don't believe it'll accept LDAP queries locally).

Edit:
You can also find some classes with in the System.Security / System.Security.Permissions namespaces that will facilitate these needs.

Upvotes: 2

Related Questions