Reputation: 1
How is PrincipalContext.ValidateCredentials call registered or marked on DC?
I am using PrincipalContext.ValidateCredentials method from System.DirectoryServices.AccountManagement namespace to validate user credentials against Active
Directory LDAP server. Sample of code:
private bool CheckIfCredentialsAreValidInDomain(string pLogin, string pPassword)
{
bool areCredentialsValidInDomain = true;
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
areCredentialsValidInDomain = context.ValidateCredentials(login, password);
}
return areCredentialsValidInDomain;
}
There is one domain and several (6 or more) DC in customer's environment. I don't pass DC name into PrincipalContext constructor - assuming DC Locator Service is doing its job - it is not important for me which particular DC is used from list of available DCs . Everything works great but I have have case of user who doesn't directly log on the domain (before starting application where this validanting is used) but his computer is physically connected to the customer's network.
This user's domain account has been recently disabled. Reason: he didn't log in to the domain for the last X months. But until then he was using app on daily basis so ValidateCredentials method was being called and returning true. But for unclear reason this action was "transaparent" for DC and this validation was not marked.
So how does ValidateCredentials work? Does it set LastLogon and lastLogonTimestamp user's attribute or just tells us if credentials are valid or not? Does it register any Event log entry on DC?
Upvotes: 0
Views: 105
Answers (1)
Reputation: 40928
The source code for PrincipalContext is available now. ValidateCredentials() calls CredentialValidator.Validate() (an internal class).
That eventually calls lockedLdapBind(), which calls LdapConnection.Bind() with the credentials.
It does actually test the credentials against a server. So either that part of your code is not actually being run, or the account being tested isn't really disabled.
Something I noticed in your code is that you're passing the variables login and password to ValidateCredentials. However, the parameters for your method are called pLogin and pPassword. Is that just a typo in your question, or is that really how it is in your code? If that is accurate, then you're not actually testing the credentials passed to your method.
Upvotes: 0
Related Questions
- How does UserPrincipal.FindByIdentity(PrincipalContext context, string identityValue) query Active Directory?
- How does application validate the authenticated token from Azure Active Directory?
- PrincipalContext.ValidateCredentials fails for some users?
- Which principal does PrincipalPermission.Demand() check against?
- How to validate the credentials passed to a `PrincipalContext`
- What goes behind the scene when we create System.DirectoryServices.DirectoryEntry instance?
- PrincipalContext.ValidateCredentials always returns FALSE
- .NET Active Directory PrincipalContext setup
- Create PrincipalContext using windows authentication
- How does PrincipalContext login to domain server