PrincipalContext.ValidateCredentials fails with "The server cannot handle directory requests."

Question

I have an application where user authenticate against our Active Directory:

private bool Authenticate()
{
     using (var context = new PrincipalContext(ContextType.Domain, Environment.UserDomainName)) 
     {
         return context.ValidateCredentials(this.Username.Text.Trim(), this.Password.Text.Trim());
     }
}

It was working fine for several years. Now, our Windows 7 machines get replaced by Windows 10 and some users get this error:

The server cannot handle directory requests.

at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
at System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)
at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)
at DPI.FormLogin.Authenticate() in c:\Developing\Source\DPI\Client\DPI\FormLogin.cs:line 280

The error appears only for some users and not all the time. Perhaps it is related to security settings which are much stricter now on Win 10 that it was on Win 7 before.

Any idea how to solve it? How can I interrogate the currently connected LDAP server? Perhaps our servers are configured slightly different and the problem is limited only to a single server which might be misconfigured.

Answer 1

Yes, adding ContextOptions.Negotiate solved the problem:

private bool Authenticate()
{
     using (var context = new PrincipalContext(ContextType.Domain, Environment.UserDomainName)) 
     {
         return context.ValidateCredentials(this.Username.Text, this.Password.Text, ContextOptions.Negotiate);
     }
}