CODEWITHSUNDEEP
c#.netauthenticationactive-directory
Banshee
Banshee

Reputation: 15807

PrincipalContext.ValidateCredentials fails for some users?

I have the following code : 

public void AuthenticateActiveDirectoryAccount(string username, string password)
    {
        PrincipalContext context;
        var envSettings = _settingsService.GetGlobalSetting<EnvironmentSettings>().Props;
        string ADServer = envSettings.ActiveDirectory.ServerURI;
        string ADUserName = envSettings.ActiveDirectory.Username;
        string ADUserPassword = envSettings.ActiveDirectory.Password;
        string account = null;

        account = username.ToLower();

        if (ADUserName.Length > 0)
            context = new PrincipalContext(ContextType.Domain, ADServer, ADUserName, ADUserPassword);
        else
            context = new PrincipalContext(ContextType.Domain, ADServer);

        using (context)
        {
            if (!context.ValidateCredentials(account, password))
            {
                throw new Exception();
            }
        }
    }

This works great for most users but some get the following exception :

The server does not handle directory requests : System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)\r\n vid System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()\r\n vid System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)\r\n vid System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)\r\n vid System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)

First I thought that failing users do not have permission to call the AD but Im sure that the AdServer, AdUserName and AdUserPassword is set with the global AD account that should have access.

Why do some users get this exception?

Upvotes: 1

Views: 2623

Answers (2)

John
John

Reputation: 1

And if no domain but Workgroup, it will work with

context.ValidateCredentials(account, password, ContextOptions.Negotiate)

Upvotes: 0

Banshee
Banshee

Reputation: 15807

Changing the ValidateCredentials to this solves the problem : 

context.ValidateCredentials(account, password, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing)

It is however probably still a question of security of the Active Directory account.

Upvotes: 1

Related Questions